@mitre/hdf-converters 3.2.0 → 3.3.0

package/dist/index.js

@@ -1,7 +1,7 @@
-import { n as detectConverter, t as registerAllFingerprints } from "./register-all-ik8sNfNf.js";
+import { n as detectConverter, t as registerAllFingerprints } from "./register-all-C3lYICDC.js";
 import { flattenOverlays } from "@mitre/hdf-parsers";
-import { buildCsv, buildXml, parseCsv, parseJSON, parseXml, parseXmlWithArrays, sha256, stripHtml as stripHTML } from "@mitre/hdf-utilities";
-import { Applicability, AuthorizationStatus, BoundaryDescription, CategorizationLevel, ControlType, Copyright, HashAlgorithm, OverrideType, PlanType, ResultStatus, VerificationMethodEnum, VerificationMethodEnum as VerificationMethodEnum$1, createDescription, createMinimalBaseline, createRequirement, createResult, severityToImpact } from "@mitre/hdf-schema";
+import { buildCsv, buildXml, cvssScoreToSeverity, parseCsv, parseJSON, parsePurl, parseTimestamp, parseXml, parseXmlWithArrays, sha256, stripHtml as stripHTML } from "@mitre/hdf-utilities";
+import { Applicability, AuthorizationStatus, CVSSSeverity, CategorizationLevel, ControlType, Ecosystem, EvidenceType, HashAlgorithm, IdentityType, Justification, MilestoneStatus, OverrideType, PlanType, ResultStatus, TargetType, VerificationMethodEnum, Version, createDescription, createMinimalBaseline, createRequirement, createResult, severityToImpact } from "@mitre/hdf-schema";
 import { DEFAULT_COMPONENT_MANAGEMENT_NIST_TAGS, DEFAULT_REMEDIATION_NIST_TAGS, DEFAULT_STATIC_ANALYSIS_NIST_TAGS, DEFAULT_STATIC_ANALYSIS_NIST_TAGS as DEFAULT_STATIC_ANALYSIS_NIST_TAGS$1, getAwsConfigNistControlByIdentifier, getAwsConfigNistControlByName, getCCINistMappings, getCweNistControl, getNessusNistControl, getNiktoNistControl, getOwaspNistControl, getScoutsuiteNistControl, nistToCci } from "@mitre/hdf-mappings";
 //#region shared/typescript/converterutil.ts
 /**
@@ -30,7 +30,7 @@ async function inputChecksum(input) {
 * Compute an Integrity object (for root-level document integrity) from raw input.
 *
 * Returns an Integrity with algorithm and checksum fields, suitable for
-* HdfBaseline.integrity, HdfSystem.integrity, HdfPlan.integrity, etc.
+* HDFBaseline.integrity, HDFSystem.integrity, HDFPlan.integrity, etc.
 *
 * @param input - Raw input string (JSON, XML, etc.)
 * @returns Integrity object with SHA-256 algorithm and checksum
@@ -120,7 +120,7 @@ function mapCWEToNIST(cweIDs, fallback) {
 	return controls.size > 0 ? [...controls].sort() : fallback;
 }
 /** Matches CWE identifiers like "CWE-79", "CWE 89", "cwe22". */
-const CWE_PATTERN = /CWE[- ]?(\d+)/gi;
+const CWE_PATTERN$1 = /CWE[- ]?(\d+)/gi;
 /**
 * Extract all numeric CWE IDs from text.
 * Returns deduplicated sorted array of numeric ID strings (e.g., ["79", "89"]).
@@ -129,7 +129,7 @@ const CWE_PATTERN = /CWE[- ]?(\d+)/gi;
 * @returns Sorted, deduplicated numeric CWE ID strings
 */
 function extractCWEIDs(text) {
-	const matches = [...text.matchAll(CWE_PATTERN)];
+	const matches = [...text.matchAll(CWE_PATTERN$1)];
 	if (matches.length === 0) return [];
 	const ids = [...new Set(matches.map((m) => m[1]))];
 	ids.sort();
@@ -175,10 +175,59 @@ function ensureArray(value) {
 */
 const DEFAULT_REMEDIATION_NIST_TAGS$1 = ["SI-2", "RA-5"];
 /**
+* Map a PURL `type` segment to the AffectedPackage `ecosystem` enum.
+* Unknown types fall back to `generic`, which the schema enum permits
+* as a catch-all.
+*/
+const PURL_TYPE_TO_ECOSYSTEM = {
+	npm: Ecosystem.Npm,
+	pypi: Ecosystem.Pypi,
+	rpm: Ecosystem.RPM,
+	deb: Ecosystem.Deb,
+	maven: Ecosystem.Maven,
+	gem: Ecosystem.Gem,
+	nuget: Ecosystem.Nuget,
+	golang: Ecosystem.Go,
+	go: Ecosystem.Go,
+	cargo: Ecosystem.Cargo
+};
+/**
+* Resolve an Ecosystem from a PURL type string. Returns `generic` for
+* unknown types so callers can keep the schema's name+version+ecosystem
+* triple valid without inventing a synthetic ecosystem.
+*/
+function ecosystemFromPurlType(type) {
+	if (!type) return Ecosystem.Generic;
+	return PURL_TYPE_TO_ECOSYSTEM[type.toLowerCase()] ?? Ecosystem.Generic;
+}
+/**
+* Build an Affected_Package primitive from any combination of the
+* vocabulary the schema accepts (purl / cpe / name+version+ecosystem).
+* Returns undefined when no identifier or full triple is present —
+* callers should skip the entry rather than emit a schema-invalid
+* AffectedPackage. Empty strings are treated as missing.
+*
+* The schema's anyOf requires at least one of:
+*   - name + version + ecosystem
+*   - purl alone
+*   - cpe alone
+*/
+function buildAffectedPackage$1(opts) {
+	const pkg = {};
+	if (opts.purl) pkg.purl = opts.purl;
+	if (opts.cpe) pkg.cpe = opts.cpe;
+	if (opts.name) pkg.name = opts.name;
+	if (opts.version) pkg.version = opts.version;
+	if (opts.ecosystem) pkg.ecosystem = opts.ecosystem;
+	if (opts.fixedInVersion) pkg.fixedInVersion = opts.fixedInVersion;
+	if (!Boolean(pkg.name && pkg.version && pkg.ecosystem) && !pkg.purl && !pkg.cpe) return void 0;
+	return pkg;
+}
+/**
 * Build an HDF Results document from options.
 *
 * Eliminates the repeated boilerplate of constructing generator, tool,
-* and assembling the top-level HdfResults in every converter. Mirrors
+* and assembling the top-level HDFResults in every converter. Mirrors
 * the Go shared.BuildHDFResults() function.
 *
 * @returns JSON string of the HDF Results document (pretty-printed)
@@ -333,7 +382,24 @@ function deriveControlTypeFromTags(tags) {
 */
 function deriveVerificationMethod(code) {
 	if (code === void 0 || code === null || code === "") return void 0;
-	return VerificationMethodEnum$1.Automated;
+	return VerificationMethodEnum.Automated;
+}
+function buildNoFindingsRequirement(id, codeDesc, startTime) {
+	return {
+		id,
+		title: "No findings reported",
+		impact: 0,
+		descriptions: [{
+			label: "default",
+			data: codeDesc
+		}],
+		results: [{
+			status: ResultStatus.Passed,
+			codeDesc,
+			startTime
+		}],
+		tags: {}
+	};
 }
 //#endregion
 //#region converters/legacyhdf-to-hdf/typescript/converter.ts
@@ -380,7 +446,7 @@ function impactToSeverity$2(impact) {
 * Normalize status values from v1.0 to v2.0 format.
 * Converts snake_case to camelCase.
 */
-function normalizeStatus(status) {
+function normalizeStatus$1(status) {
 	return {
 		"passed": "passed",
 		"failed": "failed",
@@ -426,7 +492,7 @@ function computeEffectiveStatus(impact, results) {
 * Transforms snake_case field names to camelCase.
 */
 function convertResult(v1Result) {
-	const v2Result = { status: normalizeStatus(v1Result.status) };
+	const v2Result = { status: normalizeStatus$1(v1Result.status) };
 	if (v1Result.code_desc !== void 0) v2Result.codeDesc = v1Result.code_desc;
 	if (v1Result.run_time !== void 0) v2Result.runTime = v1Result.run_time;
 	if (v1Result.start_time !== void 0) v2Result.startTime = v1Result.start_time;
@@ -470,7 +536,7 @@ function convertControl(v1Control) {
 	if (v1Control.code !== void 0) v2Req.code = v1Control.code;
 	if (v1Control.source_location !== void 0) v2Req.sourceLocation = v1Control.source_location;
 	if (v1Control.waiver_data !== void 0) v2Req.waiverData = v1Control.waiver_data;
-	if (v1Control.status !== void 0) v2Req.effectiveStatus = normalizeStatus(v1Control.status);
+	if (v1Control.status !== void 0) v2Req.effectiveStatus = normalizeStatus$1(v1Control.status);
 	if (v1Control.results && Array.isArray(v1Control.results)) v2Req.results = v1Control.results.map(convertResult);
 	if (!v2Req.effectiveStatus) v2Req.effectiveStatus = computeEffectiveStatus(v1Control.impact, v2Req.results ?? []);
 	v2Req.severity = tagSeverityToSeverity(v1Control.tags?.severity) ?? impactToSeverity$2(v1Control.impact);
@@ -682,18 +748,19 @@ async function convertSarifToHdf(input) {
 	const { items: limitedRuns, truncated: truncatedRuns } = limitArray(sarif.runs);
 	/* v8 ignore next -- truncation only triggers with >100K items */
 	if (truncatedRuns) console.warn(`WARNING: Input truncated at ${limitedRuns.length} run items (original: ${sarif.runs.length})`);
+	const timestamp = /* @__PURE__ */ new Date();
 	return buildHdfResults({
 		generatorName: "sarif-to-hdf",
 		converterVersion: "1.0.0",
 		toolName: firstDriver?.name,
 		toolVersion: firstDriver?.version,
 		toolFormat: "SARIF",
-		baselines: limitedRuns.map((run) => convertRun(run, sarif.version, resultsChecksum)),
+		baselines: limitedRuns.map((run) => convertRun(run, sarif.version, resultsChecksum, timestamp)),
 		components: [],
-		timestamp: /* @__PURE__ */ new Date()
+		timestamp
 	});
 }
-function convertRun(run, version, resultsChecksum) {
+function convertRun(run, version, resultsChecksum, timestamp) {
 	const ruleMap = buildRuleMap(run);
 	const { items: limitedResults, truncated: truncatedResults } = limitArray(run.results);
 	/* v8 ignore next -- truncation only triggers with >100K items */
@@ -717,7 +784,14 @@ function convertRun(run, version, resultsChecksum) {
 		const group = groupMap.get(ruleId);
 		return convertResultGroup(ruleId, group.rule, group.results);
 	});
-	return createMinimalBaseline(run.tool?.driver?.name || "SARIF", requirements, {
+	const baselineName = run.tool?.driver?.name || "SARIF";
+	if (requirements.length === 0) {
+		const driverName = run.tool?.driver?.name?.trim() || "";
+		const target = driverName || "SARIF analyzer";
+		const idPrefix = driverName || "sarif";
+		requirements.push(buildNoFindingsRequirement(`${idPrefix}-no-findings`, `${target} ran and reported zero findings.`, timestamp));
+	}
+	return createMinimalBaseline(baselineName, requirements, {
 		version,
 		title: "Static Analysis Results Interchange Format",
 		resultsChecksum
@@ -747,8 +821,42 @@ function convertResultGroup(ruleId, rule, sarifResults) {
 	const controlType = deriveControlTypeFromTags(nistControls);
 	if (controlType !== void 0) req.controlType = controlType;
 	req.verificationMethod = VerificationMethodEnum.Automated;
+	const seenKeys = /* @__PURE__ */ new Set();
+	const packages = [];
+	for (const sr of sarifResults) {
+		const pkg = packageFromSarifProperties(sr.properties);
+		if (!pkg) continue;
+		const key = pkg.purl ?? pkg.cpe ?? `${pkg.name ?? ""}@${pkg.version ?? ""}`;
+		if (seenKeys.has(key)) continue;
+		seenKeys.add(key);
+		packages.push(pkg);
+	}
+	if (packages.length > 0) req.affectedPackages = packages;
 	return req;
 }
+/**
+* Extract an Affected_Package from a SARIF result.properties bag.
+* Recognizes the SCA-tool convention of carrying purl / cpe /
+* packageName+packageVersion / name+version. Returns undefined for
+* SAST results that lack any package identity.
+*/
+function packageFromSarifProperties(props) {
+	if (!props) return void 0;
+	const name = props.packageName ?? props.name;
+	const version = props.packageVersion ?? props.version;
+	let ecosystem;
+	if (props.purl) ecosystem = ecosystemFromPurlType(parsePurl(props.purl)?.type);
+	else if (props.ecosystem) ecosystem = ecosystemFromPurlType(props.ecosystem);
+	else if (name && version) ecosystem = Ecosystem.Generic;
+	return buildAffectedPackage$1({
+		name,
+		version,
+		ecosystem,
+		purl: props.purl,
+		cpe: props.cpe,
+		fixedInVersion: props.fixedInVersion
+	});
+}
 function resolveRuleLevel(rule, results) {
 	if (rule?.defaultConfiguration?.level) return rule.defaultConfiguration.level;
 	for (const r of results) if (!r.kind || r.kind === "fail") {
@@ -961,14 +1069,16 @@ async function convertJunitToHdf(input) {
 	if (!input || !input.trim()) throw new Error("Empty input");
 	validateInputSize(input, "junit");
 	const { suites, name } = parseJUnitXML(input);
+	const requirements = buildRequirements(suites);
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("junit-no-findings", `JUnit scanned ${noFindingsTarget(name, suites)} and reported zero findings.`, /* @__PURE__ */ new Date()));
 	return buildHdfResults({
-		generatorName: "hdf-converters",
+		generatorName: "junit-to-hdf",
 		converterVersion: CONVERTER_VERSION$2,
 		toolName: "JUnit XML",
 		toolFormat: "XML",
-		baselines: [createMinimalBaseline(name, buildRequirements(suites), { resultsChecksum: await inputChecksum(input) })],
+		baselines: [createMinimalBaseline(name, requirements, { resultsChecksum: await inputChecksum(input) })],
 		components: [{
-			type: Copyright.Application,
+			type: TargetType.Application,
 			name
 		}],
 		timestamp: /* @__PURE__ */ new Date()
@@ -1067,6 +1177,11 @@ function buildCodeDesc$9(tc) {
 	if (tc.classname) return `${tc.classname} :: ${tc.name}`;
 	return tc.name;
 }
+function noFindingsTarget(baselineName, suites) {
+	if (baselineName && baselineName !== "JUnit Test Results") return baselineName;
+	for (const s of suites) if (s.name) return s.name;
+	return "JUnit test suite";
+}
 //#endregion
 //#region converters/xccdf-results-to-hdf/typescript/converter.ts
 const CONVERTER_VERSION$1 = "1.0.0";
@@ -1131,6 +1246,10 @@ async function convertBenchmarkResultsToHdf(benchmark, rawInput) {
 	/* v8 ignore next -- truncation only triggers with >100K items */
 	if (truncatedRR) console.warn(`WARNING: Input truncated at ${limitedRuleResults.length} rule-result items (original: ${ruleResults.length})`);
 	const requirements = limitedRuleResults.map((rr) => ruleResultToRequirement(rr, ruleIndex));
+	if (requirements.length === 0) {
+		const target = xccdfTargetName(testResult, benchmark);
+		requirements.push(buildNoFindingsRequirement("xccdf-results-no-findings", `XCCDF scanned ${target} and reported zero findings.`, /* @__PURE__ */ new Date()));
+	}
 	const resultsChecksum = await inputChecksum(rawInput);
 	const baseline = createMinimalBaseline(extractText(benchmark.title) || "XCCDF Benchmark", requirements, { resultsChecksum });
 	const components = buildTargets(testResult);
@@ -1144,7 +1263,7 @@ async function convertBenchmarkResultsToHdf(benchmark, rawInput) {
 	const hdf = {
 		baselines: [baseline],
 		generator: {
-			name: "hdf-converters",
+			name: "xccdf-results-to-hdf",
 			version: CONVERTER_VERSION$1
 		},
 		tool: {
@@ -1183,6 +1302,10 @@ async function convertArfCollection(arc, rawInput) {
 		/* v8 ignore next -- truncation only triggers with >100K items */
 		if (truncatedARFRR) console.warn(`WARNING: Input truncated at ${limitedARFRuleResults.length} rule-result items (original: ${ruleResults.length})`);
 		const requirements = limitedARFRuleResults.map((rr) => ruleResultToRequirement(rr, ruleIndex));
+		if (requirements.length === 0) {
+			const target = xccdfTargetName(testResult, benchmark);
+			requirements.push(buildNoFindingsRequirement("xccdf-results-no-findings", `XCCDF scanned ${target} and reported zero findings.`, /* @__PURE__ */ new Date()));
+		}
 		let baselineName = "";
 		if (benchmark) baselineName = extractText(benchmark.title) || "";
 		if (!baselineName) baselineName = extractText(testResult.title) || testResult.id || "ARF Report";
@@ -1203,7 +1326,7 @@ async function convertArfCollection(arc, rawInput) {
 	const hdf = {
 		baselines,
 		generator: {
-			name: "hdf-converters",
+			name: "xccdf-results-to-hdf",
 			version: CONVERTER_VERSION$1
 		},
 		tool: {
@@ -1303,6 +1426,22 @@ function ruleResultToRequirement(rr, ruleIndex) {
 	return req;
 }
 /**
+* Pick the most specific identifier available for a no-findings codeDesc.
+* Falls back through TestResult target/title, benchmark title/id, then a generic phrase.
+*/
+function xccdfTargetName(testResult, benchmark) {
+	const tr = testResult ?? {};
+	const target = (tr.target ?? "").trim();
+	if (target) return target;
+	const trTitle = extractText(tr.title).trim();
+	if (trTitle) return trTitle;
+	const benchTitle = extractText(benchmark?.title).trim();
+	if (benchTitle) return benchTitle;
+	const benchId = (benchmark?.id ?? "").trim();
+	if (benchId) return benchId;
+	return "the target";
+}
+/**
 * Build Component array from TestResult metadata.
 */
 function buildTargets(testResult) {
@@ -1311,7 +1450,7 @@ function buildTargets(testResult) {
 	const addresses = testResult["target-address"] ?? [];
 	const target = {
 		name: targetName,
-		type: Copyright.Host,
+		type: TargetType.Host,
 		labels: {}
 	};
 	if (addresses.length > 0) target.ipAddress = addresses[0];
@@ -1766,11 +1905,11 @@ const CONVERTER_VERSION = "1.0.0";
 * applicability are omitted (the checklist format cannot substantiate them).
 * Original-format metadata is stashed in extensions/tags for round-trip.
 */
-function checklistToHdf(cl, resultsChecksum) {
+function checklistToHdf(cl, resultsChecksum, generatorName) {
 	const hdf = {
 		baselines: cl.stigs.map((s) => stigToBaseline(s, resultsChecksum)),
 		generator: {
-			name: "hdf-converters",
+			name: generatorName,
 			version: CONVERTER_VERSION
 		},
 		tool: {
@@ -1835,7 +1974,7 @@ function assetToComponent(a) {
 	if (!a.hostName && !a.hostIP && !a.hostFQDN) return void 0;
 	const c = {
 		name: a.hostName || a.hostFQDN || a.hostIP || "",
-		type: Copyright.Host
+		type: TargetType.Host
 	};
 	if (a.hostIP) c.ipAddress = a.hostIP;
 	if (a.hostFQDN) c.fqdn = a.hostFQDN;
@@ -2010,7 +2149,7 @@ async function convertCklToHdf(input) {
 	validateInputSize(input, "ckl-to-hdf");
 	const resultsChecksum = await inputChecksum(input);
 	const checklist = parseCkl(input);
-	return JSON.stringify(checklistToHdf(checklist, resultsChecksum), null, 2);
+	return JSON.stringify(checklistToHdf(checklist, resultsChecksum, "ckl-to-hdf"), null, 2);
 }
 //#endregion
 //#region converters/cklb-to-hdf/typescript/converter.ts
@@ -2027,7 +2166,7 @@ async function convertCklbToHdf(input) {
 	validateInputSize(input, "cklb-to-hdf");
 	const resultsChecksum = await inputChecksum(input);
 	const checklist = parseCklb(input);
-	return JSON.stringify(checklistToHdf(checklist, resultsChecksum), null, 2);
+	return JSON.stringify(checklistToHdf(checklist, resultsChecksum, "cklb-to-hdf"), null, 2);
 }
 //#endregion
 //#region converters/hdf-to-ckl/typescript/converter.ts
@@ -2078,7 +2217,28 @@ function formatDependencyPath(from) {
 /**
 * Builds a single EvaluatedRequirement from a group of vulnerabilities sharing an ID.
 */
-function buildRequirement$16(vulnID, vulns) {
+/**
+* Map Snyk's `packageManager` value to an Affected_Package ecosystem.
+* Snyk reports values that don't always match PURL types one-to-one
+* (pip → pypi, rubygems → gem, yarn → npm). Unknown managers fall back
+* to `generic`.
+*/
+function ecosystemFromSnykPackageManager(pm) {
+	if (!pm) return Ecosystem.Generic;
+	const lower = pm.toLowerCase();
+	if (lower === "pip" || lower === "pip3") return Ecosystem.Pypi;
+	if (lower === "rubygems" || lower === "bundler") return Ecosystem.Gem;
+	if (lower === "yarn" || lower === "npm") return Ecosystem.Npm;
+	return ecosystemFromPurlType(lower);
+}
+/** Synthesize a `pkg:<type>/<name>@<version>` PURL when the ecosystem
+*  maps cleanly. Returns undefined for `generic` so we don't emit a
+*  fake `pkg:generic/...` PURL that downstream tools can't dereference. */
+function synthesizePurl(ecosystem, name, version) {
+	if (ecosystem === Ecosystem.Generic) return void 0;
+	return `pkg:${ecosystem}/${name}@${version}`;
+}
+function buildRequirement$16(vulnID, vulns, packageManager) {
 	const rep = vulns[0];
 	const cweIDs = rep.identifiers.CWE ?? [];
 	const nist = mapCWEToNIST(cweIDs, DEFAULT_STATIC_ANALYSIS_NIST_TAGS);
@@ -2098,6 +2258,19 @@ function buildRequirement$16(vulnID, vulns) {
 	const controlType = deriveControlTypeFromTags(nist);
 	if (controlType !== void 0) req.controlType = controlType;
 	req.verificationMethod = VerificationMethodEnum.Automated;
+	const name = rep.packageName ?? rep.moduleName;
+	const version = rep.version;
+	if (name && version) {
+		const ecosystem = ecosystemFromSnykPackageManager(packageManager);
+		const pkg = buildAffectedPackage$1({
+			name,
+			version,
+			ecosystem,
+			purl: synthesizePurl(ecosystem, name, version),
+			fixedInVersion: rep.fixedIn?.[0]
+		});
+		if (pkg) req.affectedPackages = [pkg];
+	}
 	return req;
 }
 /**
@@ -2114,7 +2287,11 @@ function convertSingleProject(report, resultsChecksum) {
 		else groups.set(vuln.id, [vuln]);
 	}
 	const requirements = [];
-	for (const [vulnID, vulns] of groups) requirements.push(buildRequirement$16(vulnID, vulns));
+	for (const [vulnID, vulns] of groups) requirements.push(buildRequirement$16(vulnID, vulns, report.packageManager));
+	if (requirements.length === 0) {
+		const target = report.projectName ?? report.path ?? "project";
+		requirements.push(buildNoFindingsRequirement("snyk-no-findings", `Snyk scanned ${target} and reported zero vulnerable components.`, /* @__PURE__ */ new Date()));
+	}
 	return createMinimalBaseline("Snyk Scan", requirements, {
 		resultsChecksum,
 		title: `Snyk Project: ${report.projectName ?? ""} Snyk Path: ${report.path ?? ""}`,
@@ -2159,7 +2336,7 @@ async function convertSnykToHdf(input) {
 		baselines,
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		timestamp: /* @__PURE__ */ new Date()
 	});
@@ -2227,6 +2404,92 @@ function buildCodeDesc$8(match) {
 	}
 	return parts.join(" | ");
 }
+function cvssVersionToSchema(v) {
+	switch (v) {
+		case "2.0": return Version.The20;
+		case "3.0": return Version.The30;
+		case "4.0": return Version.The40;
+		default: return Version.The31;
+	}
+}
+function cvssBandSeverity(score) {
+	switch (cvssScoreToSeverity(score)) {
+		case "critical": return CVSSSeverity.Critical;
+		case "high": return CVSSSeverity.High;
+		case "medium": return CVSSSeverity.Medium;
+		case "low": return CVSSSeverity.Low;
+		default: return CVSSSeverity.None;
+	}
+}
+function buildCvssEntries$1(vuln) {
+	if (!vuln.cvss || vuln.cvss.length === 0) return;
+	const entries = [];
+	for (const c of vuln.cvss) {
+		const entry = { version: cvssVersionToSchema(c.version) };
+		if (c.vector) entry.baseVector = c.vector;
+		const score = c.metrics?.baseScore;
+		if (typeof score === "number" && Number.isFinite(score)) {
+			entry.baseScore = score;
+			entry.baseSeverity = cvssBandSeverity(score);
+		}
+		if (vuln.id) entry.source = vuln.id;
+		if (entry.baseVector === void 0 && entry.baseScore === void 0) continue;
+		entries.push(entry);
+	}
+	return entries.length > 0 ? entries : void 0;
+}
+function mapGrypeTypeToEcosystem(grypeType) {
+	switch ((grypeType ?? "").toLowerCase()) {
+		case "rpm": return Ecosystem.RPM;
+		case "deb": return Ecosystem.Deb;
+		case "npm": return Ecosystem.Npm;
+		case "python": return Ecosystem.Pypi;
+		case "gem": return Ecosystem.Gem;
+		case "go-module": return Ecosystem.Go;
+		case "java-archive":
+		case "jenkins-plugin": return Ecosystem.Maven;
+		case "dotnet": return Ecosystem.Nuget;
+		case "rust-crate": return Ecosystem.Cargo;
+		default: return Ecosystem.Generic;
+	}
+}
+function buildAffectedPackages(match) {
+	const artifact = match.artifact;
+	const pkg = {
+		name: artifact.name,
+		version: artifact.version,
+		ecosystem: mapGrypeTypeToEcosystem(artifact.type)
+	};
+	if (artifact.cpes && artifact.cpes.length > 0 && artifact.cpes[0]) pkg.cpe = artifact.cpes[0];
+	if (artifact.purl) pkg.purl = artifact.purl;
+	const fix = match.vulnerability.fix;
+	if (fix && fix.state === "fixed" && fix.versions && fix.versions.length > 0 && fix.versions[0]) pkg.fixedInVersion = fix.versions[0];
+	return [pkg];
+}
+const CWE_ID_PATTERN = /^CWE-[1-9]\d*$/;
+function extractCwe(raw) {
+	if (!raw || raw.length === 0) return void 0;
+	const out = raw.filter((c) => CWE_ID_PATTERN.test(c));
+	return out.length === 0 ? void 0 : out;
+}
+function buildEpss$1(entries) {
+	if (!entries || entries.length === 0) return void 0;
+	const e = entries[0];
+	if (!e.date) return void 0;
+	return {
+		score: e.epss ?? 0,
+		percentile: e.percentile ?? 0,
+		date: e.date
+	};
+}
+function buildKev(k) {
+	if (!k) return void 0;
+	const out = { inKev: Boolean(k.inKev) };
+	if (k.dateAdded) out.dateAdded = k.dateAdded;
+	if (k.dueDate) out.dueDate = k.dueDate;
+	if (k.notes) out.notes = k.notes;
+	return out;
+}
 function convertMatchToRequirement(match, isIgnored) {
 	const vuln = match.vulnerability;
 	const cveId = vuln.id;
@@ -2277,6 +2540,15 @@ function convertMatchToRequirement(match, isIgnored) {
 	};
 	const controlType = deriveControlTypeFromTags(DEFAULT_STATIC_ANALYSIS_NIST_TAGS);
 	if (controlType !== void 0) requirement.controlType = controlType;
+	const cvss = buildCvssEntries$1(vuln);
+	if (cvss) requirement.cvss = cvss;
+	requirement.affectedPackages = buildAffectedPackages(match);
+	const cwe = extractCwe(vuln.cwe);
+	if (cwe) requirement.cwe = cwe;
+	const epss = buildEpss$1(vuln.epss);
+	if (epss) requirement.epss = epss;
+	const kev = buildKev(vuln.kev);
+	if (kev) requirement.kev = kev;
 	return requirement;
 }
 async function convertGrypeToHdf(input) {
@@ -2297,6 +2569,7 @@ async function convertGrypeToHdf(input) {
 		for (const match of limitedIgnored) requirements.push(convertMatchToRequirement(match, true));
 	}
 	const targetName = grypeData.source?.target?.userInput || "Grype Scan";
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("grype-no-findings", `Grype scanned ${targetName} and reported zero vulnerable components.`, /* @__PURE__ */ new Date()));
 	const baseline = createMinimalBaseline(targetName, requirements, { resultsChecksum });
 	return buildHdfResults({
 		generatorName: grypeData.descriptor?.name || "grype",
@@ -2305,7 +2578,7 @@ async function convertGrypeToHdf(input) {
 		toolVersion: grypeData.descriptor?.version,
 		baselines: [baseline],
 		components: [{
-			type: Copyright.Artifact,
+			type: TargetType.Artifact,
 			name: targetName
 		}],
 		timestamp: grypeData.descriptor?.timestamp ? new Date(grypeData.descriptor.timestamp) : /* @__PURE__ */ new Date()
@@ -2313,6 +2586,8 @@ async function convertGrypeToHdf(input) {
 }
 //#endregion
 //#region converters/nessus-to-hdf/typescript/converter.ts
+const CVE_SOURCE_RE = /^CVE-\d{4}-\d{4,}$/;
+const CWE_PATTERN = /CWE[- ]?(\d+)/gi;
 const converterVersion = "1.0.0";
 const IMPACT_MAPPING$7 = {
 	"4": .9,
@@ -2340,7 +2615,9 @@ async function convertNessusToHdf(nessusXml) {
 		"preference",
 		"tag",
 		"ReportItem",
-		"ReportHost"
+		"ReportHost",
+		"cwe",
+		"cve"
 	]);
 	const policyName = parsed.NessusClientData_v2.Policy.policyName;
 	const version = extractVersion(parsed);
@@ -2362,7 +2639,7 @@ async function convertNessusToHdf(nessusXml) {
 		components,
 		statistics: { duration },
 		generator: {
-			name: "hdf-converters",
+			name: "nessus-to-hdf",
 			version: converterVersion
 		},
 		tool: { name: "Nessus" },
@@ -2409,6 +2686,12 @@ function convertReportHostToBaseline(host, policyName, version, resultsChecksum)
 		if (truncatedItems) console.warn(`WARNING: Input truncated at ${limitedItems.length} ReportItem items (original: ${items.length})`);
 		requirements = limitedItems.map((item) => convertReportItemToRequirement(item, host));
 	} else requirements = [];
+	if (requirements.length === 0) {
+		const target = host.name || getHostPropertyValue(host, "host-ip") || "host";
+		const startTimeStr = getHostPropertyValue(host, "HOST_START");
+		const startTime = startTimeStr ? new Date(startTimeStr) : /* @__PURE__ */ new Date();
+		requirements = [buildNoFindingsRequirement("nessus-no-findings", `Nessus scanned ${target} and reported zero findings.`, startTime)];
+	}
 	return createMinimalBaseline(`Nessus ${policyName}`, requirements, {
 		title: `Nessus ${policyName}`,
 		version,
@@ -2442,8 +2725,141 @@ function convertReportItemToRequirement(item, host) {
 	};
 	if (controlType !== void 0) req.controlType = controlType;
 	if (verificationMethod !== void 0) req.verificationMethod = verificationMethod;
+	if (!isCompliance) {
+		const cvssEntries = buildCvssEntries(item);
+		if (cvssEntries.length > 0) req.cvss = cvssEntries;
+		const cweIDs = buildCweIDs(item);
+		if (cweIDs.length > 0) req.cwe = cweIDs;
+		const epss = buildEpss(item, host);
+		if (epss !== void 0) req.epss = epss;
+	}
 	return req;
 }
+/**
+* Build a structured Cvss entry for a CVE finding. Returns an array because
+* the schema models cvss as a multi-entry array (Nessus emits one entry per
+* item; multi-vendor convergence may yield more).
+*/
+function buildCvssEntries(item) {
+	const source = (item.cvss_score_source || "").trim();
+	if (!source || !CVE_SOURCE_RE.test(source)) return [];
+	const hasV3 = !!(item.cvss3_vector || item.cvss3_base_score);
+	const hasV2 = !!(item.cvss_vector || item.cvss_base_score);
+	if (!hasV3 && !hasV2) return [];
+	let version;
+	let baseVector;
+	let baseScore;
+	let threatVector;
+	let threatScore;
+	if (hasV3) {
+		version = detectV3Version(item.cvss3_vector ?? "");
+		baseVector = item.cvss3_vector || void 0;
+		baseScore = parseFloatOrUndef(item.cvss3_base_score);
+		threatVector = stripVersionPrefix(item.cvss3_temporal_vector);
+		threatScore = item.cvss3_temporal_score ? parseFloatSafe(item.cvss3_temporal_score) : void 0;
+	} else {
+		version = Version.The20;
+		baseVector = stripV2Prefix(item.cvss_vector ?? "") || void 0;
+		baseScore = parseFloatOrUndef(item.cvss_base_score);
+		threatVector = stripV2Prefix(item.cvss_temporal_vector ?? "") || void 0;
+		threatScore = item.cvss_temporal_score ? parseFloatSafe(item.cvss_temporal_score) : void 0;
+	}
+	const entry = {
+		version,
+		source
+	};
+	if (baseVector) entry.baseVector = baseVector;
+	if (baseScore !== void 0) {
+		entry.baseScore = baseScore;
+		const baseSeverity = mapCvssSeverity(baseScore);
+		if (baseSeverity !== void 0) entry.baseSeverity = baseSeverity;
+	}
+	if (threatVector !== void 0 && threatVector !== "") entry.threatVector = threatVector;
+	if (threatScore !== void 0) {
+		entry.threatScore = threatScore;
+		entry.computedScore = threatScore;
+		const computedSeverity = mapCvssSeverity(threatScore);
+		if (computedSeverity !== void 0) entry.computedSeverity = computedSeverity;
+	}
+	return [entry];
+}
+function detectV3Version(vector) {
+	if (vector.startsWith("CVSS:3.1/")) return Version.The31;
+	if (vector.startsWith("CVSS:3.0/")) return Version.The30;
+	return Version.The30;
+}
+function stripVersionPrefix(vector) {
+	if (!vector) return void 0;
+	for (const prefix of [
+		"CVSS:3.0/",
+		"CVSS:3.1/",
+		"CVSS:4.0/"
+	]) if (vector.startsWith(prefix)) return vector.slice(prefix.length);
+	return vector;
+}
+function stripV2Prefix(vector) {
+	return vector.startsWith("CVSS2#") ? vector.slice(6) : vector;
+}
+function parseFloatSafe(s) {
+	if (!s) return 0;
+	const f = Number.parseFloat(s);
+	return Number.isFinite(f) ? f : 0;
+}
+function parseFloatOrUndef(s) {
+	if (s === void 0 || s === "") return void 0;
+	const f = Number.parseFloat(s);
+	return Number.isFinite(f) ? f : void 0;
+}
+function mapCvssSeverity(score) {
+	switch (cvssScoreToSeverity(score)) {
+		case "critical": return CVSSSeverity.Critical;
+		case "high": return CVSSSeverity.High;
+		case "medium": return CVSSSeverity.Medium;
+		case "low": return CVSSSeverity.Low;
+		case "none": return CVSSSeverity.None;
+		default: return;
+	}
+}
+/**
+* Extract CWE IDs from a ReportItem's <cwe> elements. Nessus emits bare
+* numeric IDs (e.g. <cwe>200</cwe>); occasionally pipe-separated or prefixed
+* forms appear. Output is "CWE-N" form per schema convention.
+*/
+function buildCweIDs(item) {
+	if (!item.cwe) return [];
+	const raws = Array.isArray(item.cwe) ? item.cwe : [item.cwe];
+	const seen = /* @__PURE__ */ new Set();
+	for (const raw of raws) {
+		const text = String(raw);
+		for (const m of text.matchAll(CWE_PATTERN)) if (m[1]) seen.add(m[1]);
+		for (const tok of text.split(/[^0-9]+/)) if (tok !== "") seen.add(tok);
+	}
+	if (seen.size === 0) return [];
+	return [...seen].sort().map((id) => `CWE-${id}`);
+}
+/**
+* Build a structured Epss entry when the ReportItem includes EPSS data.
+* The date is derived from the host's HOST_START in YYYY-MM-DD form.
+*/
+function buildEpss(item, host) {
+	const hasScore = item.epss_score !== void 0 && item.epss_score !== "";
+	const hasPct = item.epss_percentile !== void 0 && item.epss_percentile !== "";
+	if (!hasScore && !hasPct) return void 0;
+	const date = epssDate(host);
+	if (date === void 0) return void 0;
+	return {
+		date,
+		score: hasScore ? parseFloatSafe(item.epss_score) : 0,
+		percentile: hasPct ? parseFloatSafe(item.epss_percentile) : 0
+	};
+}
+function epssDate(host) {
+	const hs = getHostPropertyValue(host, "HOST_START");
+	if (hs) {
+		const d = new Date(hs);
+		if (!Number.isNaN(d.getTime())) return d.toISOString().slice(0, 10);
+	}
+}
 function buildDescriptions(item, isCompliance) {
 	const descriptions = [];
 	if (isCompliance && item["compliance-info"]) descriptions.push({
@@ -2504,7 +2920,7 @@ function buildTags$2(item, isCompliance) {
 }
 function buildRefs(item) {
 	const refs = [];
-	if (item.see_also) refs.push({ url: item.see_also });
+	if (item.see_also) for (const url of item.see_also.split(/\s+/).filter(Boolean)) refs.push({ url });
 	return refs.length > 0 ? refs : void 0;
 }
 function buildResult$1(item, host, isCompliance) {
@@ -2546,7 +2962,7 @@ function convertReportHostToTarget(host) {
 	});
 	const target = {
 		name: hostName,
-		type: Copyright.Host
+		type: TargetType.Host
 	};
 	if (isFQDN(hostName)) target.fqdn = hostName;
 	const hostIp = hostProps["host-ip"];
@@ -2614,18 +3030,40 @@ async function convertSonarqubeToHdf(input) {
 		const baseline = convertProjectToBaseline(projectKey, issues, componentMap, ruleMap, resultsChecksum);
 		baselines.push(baseline);
 	}
+	let components = Array.from(issuesByProject.keys()).map((projectKey) => ({
+		type: TargetType.Application,
+		name: projectKey
+	}));
+	if (baselines.length === 0) {
+		const targetName = deriveEmptyScanTarget(sonarData.components);
+		baselines.push({
+			name: targetName,
+			title: `SonarQube Analysis for ${targetName}`,
+			requirements: [buildNoFindingsRequirement("sonarqube-no-findings", `SonarQube scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date())],
+			resultsChecksum
+		});
+		components = [{
+			type: TargetType.Application,
+			name: targetName
+		}];
+	}
 	return buildHdfResults({
 		generatorName: "sonarqube-to-hdf",
 		converterVersion: "1.0.0",
 		toolName: "SonarQube",
 		baselines,
-		components: Array.from(issuesByProject.keys()).map((projectKey) => ({
-			type: Copyright.Application,
-			name: projectKey
-		})),
+		components,
 		timestamp: /* @__PURE__ */ new Date()
 	});
 }
+function deriveEmptyScanTarget(components) {
+	if (components) {
+		const project = components.find((c) => c.qualifier === "TRK");
+		if (project) return project.key;
+		if (components.length > 0) return components[0].key;
+	}
+	return "the SonarQube project";
+}
 function convertProjectToBaseline(projectKey, issues, componentMap, ruleMap, resultsChecksum) {
 	const issuesByRule = /* @__PURE__ */ new Map();
 	for (const issue of issues) {
@@ -2788,6 +3226,20 @@ function buildResult(r) {
 		...startTime ? { startTime } : {}
 	});
 }
+/**
+* Synthesizes a single HDF result for a Config rule whose live evaluation
+* returned zero in-scope resources. The HDF schema requires `results` to have
+* minItems >= 1; this honestly signals to auditors that the rule's check ran
+* but had no scope in this account/region rather than vacuously claiming
+* "passed". See issue #80 bug 2.
+*/
+function buildNotApplicableResult(rule) {
+	const codeDesc = `AWS Config rule ${rule.ConfigRuleName} evaluated zero in-scope resources in this account/region.`;
+	return createResult(ResultStatus.NotApplicable, codeDesc, {
+		codeDesc,
+		startTime: /* @__PURE__ */ new Date()
+	});
+}
 function buildRequirement$15(rule) {
 	const nist = buildNistTags$3(rule.Source.SourceIdentifier, rule.ConfigRuleName);
 	const tags = nist.length > 0 ? { nist } : {};
@@ -2799,7 +3251,7 @@ function buildRequirement$15(rule) {
 		data: buildCheckText(rule)
 	}];
 	const title = `${getAccountId(rule.ConfigRuleArn)} - ${rule.ConfigRuleName}`;
-	const results = rule.EvaluationResults.map(buildResult);
+	const results = rule.EvaluationResults.length > 0 ? rule.EvaluationResults.map(buildResult) : [buildNotApplicableResult(rule)];
 	const req = createRequirement(rule.ConfigRuleId, title, descriptions, .5, results, {
 		tags,
 		sourceLocation: {
@@ -2843,7 +3295,7 @@ async function convertAwsConfigToHdf(input) {
 		toolName: "AWS Config",
 		baselines: [baseline],
 		components: [{
-			type: Copyright.CloudAccount,
+			type: TargetType.CloudAccount,
 			name: `AWS Account ${accountId}`,
 			labels: {
 				account: accountId,
@@ -2952,8 +3404,12 @@ async function convertCheckovToHdf(input) {
 	}
 	const requirements = [];
 	for (const [checkId, checks] of groups) requirements.push(buildRequirement$14(checkId, checks));
-	const baseline = createMinimalBaseline("Checkov Scan", requirements, { resultsChecksum });
 	const format = checkTypes.join(", ");
+	if (requirements.length === 0) {
+		const target = format || "input";
+		requirements.push(buildNoFindingsRequirement("checkov-no-findings", `Checkov scanned ${target} and reported zero findings.`, /* @__PURE__ */ new Date()));
+	}
+	const baseline = createMinimalBaseline("Checkov Scan", requirements, { resultsChecksum });
 	return buildHdfResults({
 		generatorName: "checkov-to-hdf",
 		converterVersion: "1.0.0",
@@ -3057,6 +3513,7 @@ async function convertGosecToHdf(input) {
 	}
 	const requirements = [];
 	for (const [ruleId, issues] of groups) requirements.push(buildRequirement$13(ruleId, issues));
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("gosec-no-findings", "gosec scanned Go codebase and reported zero findings.", /* @__PURE__ */ new Date()));
 	const baseline = createMinimalBaseline("gosec Scan", requirements, { resultsChecksum });
 	return buildHdfResults({
 		generatorName: "gosec-to-hdf",
@@ -3137,6 +3594,7 @@ async function convertNiktoToHdf(input) {
 	if (niktoData.host) targetParts.push(`Host: ${niktoData.host}`);
 	if (niktoData.port) targetParts.push(`Port: ${niktoData.port}`);
 	const targetName = targetParts.length > 0 ? targetParts.join(" ") : "Nikto Scan";
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("nikto-no-findings", `Nikto scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date()));
 	return buildHdfResults({
 		generatorName: "nikto-to-hdf",
 		converterVersion: "unknown",
@@ -3148,7 +3606,7 @@ async function convertNiktoToHdf(input) {
 			summary: niktoData.banner || ""
 		})],
 		components: [{
-			type: Copyright.Application,
+			type: TargetType.Application,
 			name: targetName
 		}]
 	});
@@ -3210,45 +3668,8 @@ async function convertZapToHdf(input) {
 	if (detected && detected.fingerprint.id === "sarif-to-hdf") return convertSarifToHdf(input);
 	const resultsChecksum = await inputChecksum(input);
 	const zapData = parseJSON(input);
-	if (!zapData.site || !Array.isArray(zapData.site)) {
-		const hdf = {
-			baselines: [createMinimalBaseline("OWASP ZAP Scan", [], {
-				resultsChecksum,
-				title: "OWASP ZAP Scan",
-				summary: ""
-			})],
-			generator: {
-				name: "zap-to-hdf",
-				version: "unknown"
-			},
-			tool: {
-				name: "OWASP ZAP",
-				format: "JSON"
-			}
-		};
-		return JSON.stringify(hdf, null, 2);
-	}
-	const site = selectSite(zapData.site);
-	if (!site) {
-		const hdf = {
-			baselines: [createMinimalBaseline("OWASP ZAP Scan", [], {
-				resultsChecksum,
-				title: "OWASP ZAP Scan",
-				summary: `ZAP Version ${zapData["@version"] ?? "unknown"}`
-			})],
-			generator: {
-				name: "zap-to-hdf",
-				version: "unknown"
-			},
-			tool: {
-				name: "OWASP ZAP",
-				format: "JSON"
-			}
-		};
-		if (zapData["@generated"]) hdf.timestamp = new Date(zapData["@generated"]);
-		return JSON.stringify(hdf, null, 2);
-	}
-	const alerts = site.alerts ?? [];
+	const site = selectSite(Array.isArray(zapData.site) ? zapData.site : []);
+	const alerts = site?.alerts ?? [];
 	const pluginIdCount = /* @__PURE__ */ new Map();
 	const { items: limitedAlerts, truncated } = limitArray(alerts);
 	/* v8 ignore next -- truncation only triggers with >100K items */
@@ -3304,10 +3725,17 @@ async function convertZapToHdf(input) {
 		if (controlType !== void 0) req.controlType = controlType;
 		requirements.push(req);
 	}
-	const targetName = site["@host"] ?? "Unknown Host";
+	const targetName = site?.["@host"] ?? "Unknown Host";
+	const siteName = site?.["@name"] ?? "";
+	const baselineName = site && (site["@name"] || site["@host"]) ? `OWASP ZAP Scan of ${site["@name"] ?? targetName}` : "OWASP ZAP Scan";
+	if (requirements.length === 0) {
+		let target = siteName || targetName;
+		if (!target || target === "Unknown Host") target = "the target site";
+		requirements.push(buildNoFindingsRequirement("zap-no-findings", `OWASP ZAP scanned ${target} and reported zero findings.`, /* @__PURE__ */ new Date()));
+	}
 	const baseline = createMinimalBaseline("OWASP ZAP Scan", requirements, {
 		resultsChecksum,
-		title: `OWASP ZAP Scan of ${site["@name"] ?? targetName}`,
+		title: baselineName,
 		summary: `ZAP Version ${zapData["@version"] ?? "unknown"}`
 	});
 	const tool = {
@@ -3316,14 +3744,14 @@ async function convertZapToHdf(input) {
 	};
 	if (zapData["@version"]) tool.version = zapData["@version"];
 	const components = [];
-	if (site["@name"]) components.push({
+	if (site?.["@name"]) components.push({
 		name: targetName,
-		type: Copyright.Application,
+		type: TargetType.Application,
 		url: site["@name"]
 	});
 	else if (targetName !== "Unknown Host") components.push({
 		name: targetName,
-		type: Copyright.Application
+		type: TargetType.Application
 	});
 	const hdf = {
 		baselines: [baseline],
@@ -3459,7 +3887,7 @@ async function convertCyclonedxToHdf(input) {
 		baselines: [baseline],
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		timestamp: /* @__PURE__ */ new Date()
 	});
@@ -3659,7 +4087,7 @@ async function convertSplunkToHdf(input) {
 		baselines: allBaselines,
 		components: [{
 			name: targetName,
-			type: Copyright.Host,
+			type: TargetType.Host,
 			osName: targetRelease || void 0,
 			labels: {}
 		}],
@@ -3759,9 +4187,9 @@ function gitlabSeverityToImpact(severity) {
 }
 function scanTypeToTargetType(scanType) {
 	switch (scanType) {
-		case "dast": return Copyright.Application;
-		case "container_scanning": return Copyright.ContainerImage;
-		default: return Copyright.Repository;
+		case "dast": return TargetType.Application;
+		case "container_scanning": return TargetType.ContainerImage;
+		default: return TargetType.Repository;
 	}
 }
 function scanTypeLabel(scanType) {
@@ -3894,9 +4322,14 @@ async function convertGitlabToHdf(input) {
 		if (controlType !== void 0) req.controlType = controlType;
 		requirements.push(req);
 	}
+	const label = scanTypeLabel(scanType);
+	if (requirements.length === 0) {
+		const ts = startTime ? new Date(startTime) : /* @__PURE__ */ new Date();
+		requirements.push(buildNoFindingsRequirement("gitlab-no-findings", `GitLab ${label} scan via ${scannerName} reported zero findings.`, ts));
+	}
 	const baseline = createMinimalBaseline("GitLab Security Scan", requirements, {
 		resultsChecksum,
-		title: `GitLab ${scanTypeLabel(scanType)} Security Scan`,
+		title: `GitLab ${label} Security Scan`,
 		summary: `Scanner: ${scannerName}${scannerVersion ? ` v${scannerVersion}` : ""}`
 	});
 	const tool = {
@@ -4050,19 +4483,22 @@ async function convertTrufflehogToHdf(input) {
 	if (!input || input.trim().length === 0) throw new Error("trufflehog: empty input");
 	validateInputSize(input, "trufflehog");
 	const findings = parseFindings(input);
-	if (findings.length === 0) throw new Error("trufflehog: no findings in input");
 	const resultsChecksum = await inputChecksum(input);
 	const limitedFindings = limitArrayWithWarning(findings, "finding");
 	const groups = groupFindings(limitedFindings);
 	const requirements = [];
 	for (const [reqID, group] of groups) requirements.push(buildRequirement$12(reqID, group));
+	if (requirements.length === 0) {
+		const target = findGitRepoURL(limitedFindings) ?? limitedFindings[0]?.SourceName ?? "the target source";
+		requirements.push(buildNoFindingsRequirement("trufflehog-no-findings", `TruffleHog scanned ${target} and reported zero findings.`, /* @__PURE__ */ new Date()));
+	}
 	const hdf = {
 		baselines: [createMinimalBaseline("TruffleHog Scan", requirements, {
 			resultsChecksum,
 			title: `TruffleHog Scan (${limitedFindings[0]?.SourceName ?? "trufflehog"})`
 		})],
 		generator: {
-			name: "hdf-converters",
+			name: "trufflehog-to-hdf",
 			version: "1.0.0"
 		},
 		tool: {
@@ -4074,7 +4510,7 @@ async function convertTrufflehogToHdf(input) {
 	const repoURL = findGitRepoURL(limitedFindings);
 	if (repoURL) hdf.components = [{
 		name: repoURL,
-		type: Copyright.Repository
+		type: TargetType.Repository
 	}];
 	return JSON.stringify(hdf, null, 2);
 }
@@ -4136,6 +4572,7 @@ async function convertBurpsuiteToHdf(input) {
 	const requirements = [];
 	for (const [issueType, groupIssues] of groups) requirements.push(buildRequirement$11(issueType, groupIssues));
 	const targetName = limitedIssues.length > 0 ? (limitedIssues[0].host?.["#text"] ?? "Unknown").trim() : "Unknown";
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("burpsuite-no-findings", `Burp Suite scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date()));
 	const baseline = createMinimalBaseline("BurpSuite Scan", requirements, {
 		resultsChecksum,
 		title: `BurpSuite Scan: ${targetName}`
@@ -4149,7 +4586,7 @@ async function convertBurpsuiteToHdf(input) {
 		baselines: [baseline],
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		generator: {
 			name: "burpsuite-to-hdf",
@@ -4346,7 +4783,7 @@ async function convertDbprotectToHdf(input) {
 		})],
 		components: [{
 			name: targetName,
-			type: Copyright.Host
+			type: TargetType.Host
 		}],
 		timestamp: /* @__PURE__ */ new Date()
 	});
@@ -4386,6 +4823,148 @@ function buildSummary(result) {
 	return `Package Vulnerability Summary: ${result.vulnerabilityDistribution ? String(result.vulnerabilityDistribution.total) : "N/A"} Application Compliance Issue Total: ${result.complianceDistribution ? String(result.complianceDistribution.total) : "N/A"}`;
 }
 /**
+* Detects CVSS schema version enum from the vector prefix. Defaults to 3.1
+* since modern Twistlock exclusively emits 3.x output.
+*/
+function cvssVersionFromVector(vector) {
+	if (!vector) return Version.The31;
+	if (vector.startsWith("CVSS:2.0/")) return Version.The20;
+	if (vector.startsWith("CVSS:3.0/")) return Version.The30;
+	if (vector.startsWith("CVSS:4.0/")) return Version.The40;
+	return Version.The31;
+}
+/**
+* Maps cvssScoreToSeverity('low'|'medium'|...) into the CVSSSeverity enum.
+*/
+function cvssSeverityFromScore(score) {
+	switch (cvssScoreToSeverity(score)) {
+		case "none": return CVSSSeverity.None;
+		case "low": return CVSSSeverity.Low;
+		case "medium": return CVSSSeverity.Medium;
+		case "high": return CVSSSeverity.High;
+		case "critical": return CVSSSeverity.Critical;
+		default: return;
+	}
+}
+/**
+* Builds a Cvss entry from a Twistlock vulnerability. Returns undefined only
+* when neither a score nor a vector is available. When the vendor emits a
+* score but no vector (common in Twistlock/Prisma Cloud output), the Cvss
+* entry is still emitted — the schema makes baseVector optional precisely
+* so vendor-final-score data isn't dropped.
+*/
+function buildCvss(vuln) {
+	const hasScore = typeof vuln.cvss === "number" && Number.isFinite(vuln.cvss);
+	const hasVector = !!vuln.vector;
+	if (!hasScore && !hasVector) return void 0;
+	const cv = { version: cvssVersionFromVector(vuln.vector) };
+	if (hasScore) {
+		cv.baseScore = vuln.cvss;
+		const sev = cvssSeverityFromScore(vuln.cvss);
+		if (sev !== void 0) cv.baseSeverity = sev;
+	}
+	if (hasVector) cv.baseVector = vuln.vector;
+	const source = vuln.cve ?? vuln.id;
+	if (source) cv.source = source;
+	return cv;
+}
+const CWE_REGEX = /cwe[-_]?(\d+)/gi;
+/**
+* Extracts canonical CWE-N identifiers from a free-form string.
+*/
+function parseCwes(raw) {
+	if (!raw) return [];
+	const out = [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const m of raw.matchAll(CWE_REGEX)) {
+		const id = `CWE-${m[1]}`;
+		if (seen.has(id)) continue;
+		seen.add(id);
+		out.push(id);
+	}
+	return out;
+}
+function rhelDistro(distro) {
+	const low = distro.toLowerCase();
+	return [
+		"red hat",
+		"rhel",
+		"centos",
+		"fedora",
+		"amazon linux",
+		"oracle linux",
+		"rocky",
+		"alma"
+	].some((m) => low.includes(m));
+}
+function debDistro(distro) {
+	const low = distro.toLowerCase();
+	return ["debian", "ubuntu"].some((m) => low.includes(m));
+}
+/**
+* Maps a Twistlock package type plus the result's distro string to a schema
+* Ecosystem value. Defaults to 'generic' for unknown types.
+*/
+function resolveEcosystem(packageType, distro) {
+	const t = (packageType ?? "").toLowerCase();
+	const d = distro ?? "";
+	switch (t) {
+		case "os":
+			if (rhelDistro(d)) return Ecosystem.RPM;
+			if (debDistro(d)) return Ecosystem.Deb;
+			return Ecosystem.Generic;
+		case "rpm": return Ecosystem.RPM;
+		case "deb": return Ecosystem.Deb;
+		case "jar":
+		case "maven": return Ecosystem.Maven;
+		case "python":
+		case "pypi": return Ecosystem.Pypi;
+		case "nodejs":
+		case "npm": return Ecosystem.Npm;
+		case "gem": return Ecosystem.Gem;
+		case "nuget": return Ecosystem.Nuget;
+		case "go": return Ecosystem.Go;
+		case "cargo": return Ecosystem.Cargo;
+		default: return Ecosystem.Generic;
+	}
+}
+const FIX_VERSION_REGEX = /\d+(?:\.\d+)+[A-Za-z0-9._+\-]*/;
+/**
+* Extracts the first version-looking token from fixedBy or a "fixed in X"
+* status string. Returns empty string when no fix info is present.
+*/
+function extractFixedInVersion(vuln) {
+	if (vuln.fixedBy) return vuln.fixedBy;
+	if (!(vuln.status ?? "").toLowerCase().includes("fixed")) return "";
+	const m = (vuln.status ?? "").match(FIX_VERSION_REGEX);
+	return m ? m[0] : "";
+}
+/**
+* Builds an AffectedPackage entry from per-vulnerability fields. Returns
+* undefined when packageName or packageVersion are missing (both required).
+*/
+function buildAffectedPackage(vuln, packageTypes, distro) {
+	if (!vuln.packageName || !vuln.packageVersion) return void 0;
+	const pkgType = vuln.packageType ?? packageTypes.get(vuln.packageName);
+	const pkg = {
+		name: vuln.packageName,
+		version: vuln.packageVersion,
+		ecosystem: resolveEcosystem(pkgType, distro)
+	};
+	const fixed = extractFixedInVersion(vuln);
+	if (fixed) pkg.fixedInVersion = fixed;
+	return pkg;
+}
+/**
+* Indexes packageName → packageType from the result-level packages array.
+*/
+function buildPackageTypeIndex(pkgs) {
+	const idx = /* @__PURE__ */ new Map();
+	if (!pkgs) return idx;
+	for (const p of pkgs) if (p.name && p.type) idx.set(p.name, p.type);
+	return idx;
+}
+/**
 * Builds the code_desc string for a vulnerability result.
 */
 function formatCodeDesc$2(vuln) {
@@ -4395,10 +4974,17 @@ function formatCodeDesc$2(vuln) {
 }
 /**
 * Converts a single vulnerability into an EvaluatedRequirement.
+*
+* @param vuln - The Twistlock vulnerability object
+* @param packageTypes - name→type lookup built from the enclosing result's packages array
+* @param distro - the enclosing result's distro string, used to disambiguate "os" packages
 */
-function buildRequirement$9(vuln) {
+function buildRequirement$9(vuln, packageTypes, distro) {
 	const nist = DEFAULT_REMEDIATION_NIST_TAGS;
-	const tags = buildNistCciTags(nist, nistToCci(nist), { cveid: [vuln.id] });
+	const cciTags = nistToCci(nist);
+	const extras = { cveid: [vuln.id] };
+	if (typeof vuln.cvss === "number" && vuln.cvss > 0) extras["cvss_base_score"] = vuln.cvss;
+	const tags = buildNistCciTags(nist, cciTags, extras);
 	const descriptions = [{
 		label: "default",
 		data: vuln.description
@@ -4412,6 +4998,12 @@ function buildRequirement$9(vuln) {
 	const controlType = deriveControlTypeFromTags(nist);
 	if (controlType !== void 0) req.controlType = controlType;
 	req.verificationMethod = VerificationMethodEnum.Automated;
+	const cv = buildCvss(vuln);
+	if (cv) req.cvss = [cv];
+	const cwes = parseCwes(vuln.cwe);
+	if (cwes.length > 0) req.cwe = cwes;
+	const pkg = buildAffectedPackage(vuln, packageTypes, distro);
+	if (pkg) req.affectedPackages = [pkg];
 	return req;
 }
 /**
@@ -4422,7 +5014,13 @@ function convertSingleResult(result, resultsChecksum) {
 	const { items: limitedVulns, truncated } = limitArray(vulns);
 	/* v8 ignore next -- truncation only triggers with >100K items */
 	if (truncated) console.warn(`WARNING: Input truncated at ${limitedVulns.length} vulnerability items (original: ${vulns.length})`);
-	return createMinimalBaseline("Twistlock Scan", limitedVulns.map((vuln) => buildRequirement$9(vuln)), {
+	const packageTypes = buildPackageTypeIndex(result.packages);
+	const requirements = limitedVulns.map((vuln) => buildRequirement$9(vuln, packageTypes, result.distro));
+	if (requirements.length === 0) {
+		const target = result.name ?? result.repository ?? result.id ?? "scan target";
+		requirements.push(buildNoFindingsRequirement("twistlock-no-findings", `Twistlock scanned ${target} and reported zero vulnerable components.`, /* @__PURE__ */ new Date()));
+	}
+	return createMinimalBaseline("Twistlock Scan", requirements, {
 		resultsChecksum,
 		title: buildTitle$1(result),
 		summary: buildSummary(result)
@@ -4457,7 +5055,7 @@ async function convertTwistlockToHdf(input) {
 		baselines,
 		components: [{
 			name: targetName,
-			type: Copyright.ContainerImage,
+			type: TargetType.ContainerImage,
 			labels: { image: results[0]?.id ?? targetName }
 		}],
 		timestamp: /* @__PURE__ */ new Date()
@@ -4529,9 +5127,30 @@ function buildRequirement$8(finding, timestamp) {
 	req.verificationMethod = VerificationMethodEnum.Automated;
 	const controlType = deriveControlTypeFromTags(nist);
 	if (controlType !== void 0) req.controlType = controlType;
+	const pkg = buildAffectedPackageFromComponent(finding.component);
+	if (pkg) req.affectedPackages = [pkg];
 	return req;
 }
 /**
+* Builds an Affected_Package from a Dependency-Track component. Prefers
+* the rich identifiers Dependency-Track already exposes (purl, cpe) and
+* augments with name/version/ecosystem when available. Returns undefined
+* when the component carries no schema-acceptable identifier.
+*/
+function buildAffectedPackageFromComponent(c) {
+	let ecosystem;
+	if (c.purl) ecosystem = ecosystemFromPurlType(parsePurl(c.purl)?.type);
+	else if (c.name && c.version) ecosystem = ecosystemFromPurlType(void 0);
+	return buildAffectedPackage$1({
+		name: c.name,
+		version: c.version,
+		ecosystem,
+		purl: c.purl,
+		cpe: c.cpe,
+		fixedInVersion: c.latestVersion
+	});
+}
+/**
 * Converts Dependency-Track FPF JSON output to HDF format.
 *
 * @param input - Dependency-Track FPF JSON string
@@ -4544,7 +5163,12 @@ async function convertDeptrackToHdf(input) {
 	const parsed = parseJSON(input);
 	if (!parsed || typeof parsed !== "object") throw new Error("deptrack: invalid JSON");
 	if (!parsed.findings && !parsed.project && !parsed.meta) throw new Error("deptrack: input does not appear to be a Dependency-Track report");
-	const baseline = createMinimalBaseline("Dependency-Track Scan", (parsed.findings ?? []).map((finding) => buildRequirement$8(finding, parsed.meta?.timestamp)), {
+	const requirements = (parsed.findings ?? []).map((finding) => buildRequirement$8(finding, parsed.meta?.timestamp));
+	if (requirements.length === 0) {
+		const projectName = parsed.project?.name ?? parsed.project?.uuid ?? "";
+		requirements.push(buildNoFindingsRequirement("deptrack-no-findings", `Dependency-Track analyzed ${projectName} and reported zero vulnerable components.`, /* @__PURE__ */ new Date()));
+	}
+	const baseline = createMinimalBaseline("Dependency-Track Scan", requirements, {
 		resultsChecksum,
 		title: `Dependency-Track: ${parsed.project?.name ?? ""} ${parsed.project?.version ?? ""}`,
 		summary: parsed.project?.description
@@ -4558,7 +5182,7 @@ async function convertDeptrackToHdf(input) {
 		baselines: [baseline],
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		timestamp: /* @__PURE__ */ new Date()
 	});
@@ -4636,8 +5260,49 @@ function buildRequirement$7(entryID, entries) {
 	const controlType = deriveControlTypeFromTags(nist);
 	if (controlType !== void 0) req.controlType = controlType;
 	req.verificationMethod = VerificationMethodEnum.Automated;
+	const pkg = buildAffectedPackageFromEntry(rep);
+	if (pkg) req.affectedPackages = [pkg];
 	return req;
 }
+function ecosystemFromXraySource(scheme) {
+	if (scheme === "gav") return Ecosystem.Maven;
+	return ecosystemFromPurlType(scheme);
+}
+function parseSourceCompID(s) {
+	if (!s) return void 0;
+	const m = /^([a-zA-Z0-9]+):\/\/(.+)$/.exec(s);
+	if (!m) return void 0;
+	const scheme = m[1].toLowerCase();
+	const rest = m[2];
+	const colonIdx = rest.lastIndexOf(":");
+	if (colonIdx > 0) return {
+		scheme,
+		name: rest.slice(0, colonIdx),
+		version: rest.slice(colonIdx + 1)
+	};
+	return {
+		scheme,
+		name: rest
+	};
+}
+function buildAffectedPackageFromEntry(entry) {
+	const parsed = parseSourceCompID(entry.source_comp_id ?? entry.source_id);
+	let name = entry.component ?? "";
+	let version;
+	let ecosystem;
+	if (parsed) {
+		if (parsed.name) name = parsed.name;
+		version = parsed.version;
+		ecosystem = ecosystemFromXraySource(parsed.scheme);
+	}
+	const fixed = entry.component_versions?.fixed_versions?.[0];
+	return buildAffectedPackage$1({
+		name,
+		version,
+		ecosystem: ecosystem ?? (name ? Ecosystem.Generic : void 0),
+		fixedInVersion: fixed
+	});
+}
 /**
 * Converts JFrog Xray JSON output to HDF format.
 *
@@ -4667,6 +5332,7 @@ async function convertJfrogXrayToHdf(input) {
 	}
 	const requirements = [];
 	for (const [entryID, entries] of groups) requirements.push(buildRequirement$7(entryID, entries));
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("jfrog-xray-no-findings", "JFrog Xray scanned the target artifact and reported zero vulnerable components.", /* @__PURE__ */ new Date()));
 	return buildHdfResults({
 		generatorName: "jfrog-xray-to-hdf",
 		converterVersion: "1.0.0",
@@ -4675,7 +5341,7 @@ async function convertJfrogXrayToHdf(input) {
 		baselines: [createMinimalBaseline("JFrog Xray Scan", requirements, { resultsChecksum })],
 		components: [{
 			name: "JFrog Xray Scan",
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		timestamp: /* @__PURE__ */ new Date()
 	});
@@ -4738,6 +5404,15 @@ function buildRequirement$6(vuln) {
 	const controlType = deriveControlTypeFromTags(nist);
 	if (controlType !== void 0) req.controlType = controlType;
 	req.verificationMethod = VerificationMethodEnum.Automated;
+	const cpe23 = (vuln.cpes ?? []).find((c) => /^cpe:2\.3:[aho]:/.test(c));
+	const pkg = buildAffectedPackage$1({
+		name: vuln.package_name,
+		version: vuln.package_version,
+		ecosystem: vuln.package_name && vuln.package_version ? Ecosystem.Generic : void 0,
+		cpe: cpe23,
+		fixedInVersion: vuln.fixed_version
+	});
+	if (pkg) req.affectedPackages = [pkg];
 	return req;
 }
 /**
@@ -4783,6 +5458,9 @@ async function convertNeuvectorToHdf(input) {
 		seen.add(id);
 		requirements.push(buildRequirement$6(vuln));
 	}
+	const now = /* @__PURE__ */ new Date();
+	const target = targetNameFromReport(scan.report);
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("neuvector-no-findings", `NeuVector scanned ${target} and reported zero vulnerable components.`, now));
 	return buildHdfResults({
 		generatorName: "neuvector-to-hdf",
 		converterVersion: "1.0.0",
@@ -4794,13 +5472,13 @@ async function convertNeuvectorToHdf(input) {
 		})],
 		components: [{
 			name: targetNameFromReport(scan.report),
-			type: Copyright.ContainerImage,
+			type: TargetType.ContainerImage,
 			labels: {
 				image: `${scan.report.registry}/${scan.report.repository}:${scan.report.tag}`,
 				registry: scan.report.registry
 			}
 		}],
-		timestamp: /* @__PURE__ */ new Date()
+		timestamp: now
 	});
 }
 //#endregion
@@ -4915,21 +5593,22 @@ async function convertFortifyToHdf(input) {
 	if (truncatedDescs) console.warn(`WARNING: Input truncated at ${limitedDescs.length} Description items (original: ${descriptions.length})`);
 	const createdDate = fvdl.CreatedTS?.date ?? "";
 	const startTimeStr = `${createdDate}T${fvdl.CreatedTS?.time ?? ""}`;
-	const baseline = createMinimalBaseline("Fortify Scan", limitedDescs.map((desc) => {
+	const requirements = limitedDescs.map((desc) => {
 		return buildRequirement$5(desc, vulnGroups.get(desc.classID ?? "") ?? [], snippetMap, startTimeStr);
-	}), {
-		resultsChecksum,
-		title: "Fortify Static Analyzer Scan",
-		summary: `Fortify Static Analyzer Scan of UUID: ${fvdl.UUID ?? ""}`,
-		version: fvdl.EngineData?.EngineVersion ?? "",
-		status: "loaded"
 	});
 	const targetName = fvdl.Build?.SourceBasePath ?? fvdl.Build?.BuildID ?? "Unknown";
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("fortify-no-findings", `Fortify scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date()));
 	const hdfResult = {
-		baselines: [baseline],
+		baselines: [createMinimalBaseline("Fortify Scan", requirements, {
+			resultsChecksum,
+			title: "Fortify Static Analyzer Scan",
+			summary: `Fortify Static Analyzer Scan of UUID: ${fvdl.UUID ?? ""}`,
+			version: fvdl.EngineData?.EngineVersion ?? "",
+			status: "loaded"
+		})],
 		components: [{
 			name: targetName,
-			type: Copyright.Repository
+			type: TargetType.Repository
 		}],
 		generator: {
 			name: "fortify-to-hdf",
@@ -5044,9 +5723,50 @@ function buildRequirement$4(rec) {
 	const controlType = deriveControlTypeFromTags(nist);
 	if (controlType !== void 0) req.controlType = controlType;
 	req.verificationMethod = VerificationMethodEnum.Automated;
+	if (rec["CVE ID"]) {
+		const pkg = buildAffectedPackageFromRecord(rec);
+		if (pkg) req.affectedPackages = [pkg];
+	}
 	return req;
 }
 /**
+* Distro slugs in Prisma look like `redhat-RHEL7`, `debian-buster`,
+* `alpine-3.14`, `ubuntu-20.04`. Only the leading vendor segment is
+* mapped — unknown vendors fall back to `generic` rather than guessing.
+*/
+function ecosystemFromDistro(distro) {
+	if (!distro) return Ecosystem.Generic;
+	switch (distro.split("-")[0]?.toLowerCase()) {
+		case "redhat":
+		case "rhel":
+		case "centos":
+		case "rocky":
+		case "alma":
+		case "fedora":
+		case "amazon":
+		case "amazonlinux":
+		case "suse":
+		case "sles":
+		case "opensuse": return Ecosystem.RPM;
+		case "debian":
+		case "ubuntu": return Ecosystem.Deb;
+		default: return Ecosystem.Generic;
+	}
+}
+const FIX_VERSION_PATTERN = /fixed in\s+([^\s,;]+)/i;
+function buildAffectedPackageFromRecord(rec) {
+	const name = rec["Source Package"] || rec.Packages;
+	const version = rec["Package Version"];
+	if (!name || !version) return void 0;
+	const fixMatch = rec["Fix Status"] ? FIX_VERSION_PATTERN.exec(rec["Fix Status"]) : null;
+	return buildAffectedPackage$1({
+		name,
+		version,
+		ecosystem: ecosystemFromDistro(rec.Distro),
+		fixedInVersion: fixMatch ? fixMatch[1] : void 0
+	});
+}
+/**
 * Groups records by hostname, preserving insertion order.
 */
 function groupByHostname(records) {
@@ -5077,20 +5797,25 @@ function buildBaseline(hostname, records, resultsChecksum) {
 async function convertPrismaToHdf(input) {
 	if (!input || input.trim().length === 0) throw new Error("prisma: empty input");
 	validateInputSize(input, "prisma");
+	const headers = (input.split(/\r?\n/, 1)[0] ?? "").split(",").map((h) => h.trim());
+	for (const col of REQUIRED_COLUMNS) if (!headers.includes(col)) throw new Error(`prisma: missing required CSV column "${col}"`);
 	const records = parseCsv(input);
-	if (records.length === 0) throw new Error("prisma: no data rows in CSV");
-	const firstRecord = records[0];
-	for (const col of REQUIRED_COLUMNS) if (!(col in firstRecord)) throw new Error(`prisma: missing required CSV column "${col}"`);
 	const resultsChecksum = await inputChecksum(input);
-	const hostGroups = groupByHostname(records);
 	const baselines = [];
 	const components = [];
-	for (const [hostname, hostRecords] of hostGroups) {
-		baselines.push(buildBaseline(hostname, hostRecords, resultsChecksum));
-		components.push({
-			name: hostname,
-			type: Copyright.Host
-		});
+	if (records.length === 0) baselines.push(createMinimalBaseline("Prisma Cloud Scan", [buildNoFindingsRequirement("prisma-no-findings", "Prisma Cloud scanned the workload and reported zero vulnerable components.", /* @__PURE__ */ new Date())], {
+		resultsChecksum,
+		title: "Prisma Cloud Scan"
+	}));
+	else {
+		const hostGroups = groupByHostname(records);
+		for (const [hostname, hostRecords] of hostGroups) {
+			baselines.push(buildBaseline(hostname, hostRecords, resultsChecksum));
+			components.push({
+				name: hostname,
+				type: TargetType.Host
+			});
+		}
 	}
 	return buildHdfResults({
 		generatorName: "prisma-to-hdf",
@@ -5239,20 +5964,25 @@ async function convertNetsparkerToHdf(input) {
 	const { items: limitedVulns, truncated } = limitArray(vulns);
 	/* v8 ignore next -- truncation only triggers with >100K items */
 	if (truncated) console.warn(`WARNING: Input truncated at ${limitedVulns.length} vulnerability items (original: ${vulns.length})`);
-	const baseline = createMinimalBaseline("Netsparker Scan", limitedVulns.map((vuln) => buildRequirement$3(vuln, initiated)), {
-		resultsChecksum,
-		title: `${toolName} Enterprise Scan ID: ${target["scan-id"] ?? ""} URL: ${target.url ?? ""}`
-	});
 	const targetName = target.url ?? "Unknown";
+	const requirements = limitedVulns.map((vuln) => buildRequirement$3(vuln, initiated));
+	if (requirements.length === 0) {
+		const initiatedDate = initiated ? new Date(initiated) : /* @__PURE__ */ new Date();
+		const startTime = isNaN(initiatedDate.getTime()) ? /* @__PURE__ */ new Date() : initiatedDate;
+		requirements.push(buildNoFindingsRequirement("netsparker-no-findings", `${toolName} scanned ${targetName} and reported zero findings.`, startTime));
+	}
 	return buildHdfResults({
 		generatorName: "netsparker-to-hdf",
 		converterVersion: "1.0.0",
 		toolName,
 		toolFormat: "XML",
-		baselines: [baseline],
+		baselines: [createMinimalBaseline("Netsparker Scan", requirements, {
+			resultsChecksum,
+			title: `${toolName} Enterprise Scan ID: ${target["scan-id"] ?? ""} URL: ${target.url ?? ""}`
+		})],
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}]
 	});
 }
@@ -5367,12 +6097,14 @@ async function convertScoutsuiteToHdf(input) {
 	const resultsChecksum = await inputChecksum(jsonStr);
 	const report = parseJSON(jsonStr);
 	if (!report || typeof report !== "object") throw new Error("scoutsuite: invalid JSON");
-	const baseline = createMinimalBaseline("ScoutSuite Scan", limitArrayWithWarning(collapseFindings(report), "finding").map(([ruleID, finding]) => buildRequirement$2(ruleID, finding, report.last_run.time)), {
+	const requirements = limitArrayWithWarning(collapseFindings(report), "finding").map(([ruleID, finding]) => buildRequirement$2(ruleID, finding, report.last_run.time));
+	const targetName = `${report.last_run.ruleset_name} ruleset:${report.provider_name}:${report.account_id}`;
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("scoutsuite-no-findings", `ScoutSuite scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date()));
+	const baseline = createMinimalBaseline("ScoutSuite Scan", requirements, {
 		resultsChecksum,
 		title: `Scout Suite Report using ${report.last_run.ruleset_name} ruleset on ${report.provider_name} with account ${report.account_id}`,
 		summary: report.last_run.ruleset_about
 	});
-	const targetName = `${report.last_run.ruleset_name} ruleset:${report.provider_name}:${report.account_id}`;
 	return buildHdfResults({
 		generatorName: "scoutsuite-to-hdf",
 		converterVersion: "1.0.0",
@@ -5382,7 +6114,7 @@ async function convertScoutsuiteToHdf(input) {
 		baselines: [baseline],
 		components: [{
 			name: targetName,
-			type: Copyright.CloudAccount,
+			type: TargetType.CloudAccount,
 			labels: {
 				account: report.account_id,
 				provider: report.provider_code ?? report.provider_name
@@ -5539,6 +6271,10 @@ async function convertConveyorToHdf(input) {
 		const desc = data.api_response.params["description"];
 		if (typeof desc === "string" && desc.length > 0) targetName = desc;
 	}
+	if (baselines.length === 0) baselines.push(createMinimalBaseline("Conveyor Scan", [buildNoFindingsRequirement("conveyor-no-findings", `Conveyor scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date())], {
+		resultsChecksum,
+		title: "Conveyor Scan (no findings)"
+	}));
 	return buildHdfResults({
 		generatorName: "conveyor-to-hdf",
 		converterVersion: "1.0.0",
@@ -5547,7 +6283,7 @@ async function convertConveyorToHdf(input) {
 		baselines,
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		timestamp: /* @__PURE__ */ new Date()
 	});
@@ -5814,6 +6550,8 @@ async function convertVeracodeToHdf(input) {
 	const cweRequirements = buildCWERequirements(ensureArray(report.severity), firstBuildDate);
 	const cveRequirements = buildCVERequirements(report.software_composition_analysis, firstBuildDate);
 	const allRequirements = [...cweRequirements, ...cveRequirements];
+	const targetName = attr(report, "app_name") || "Veracode Application";
+	if (allRequirements.length === 0) allRequirements.push(buildNoFindingsRequirement("veracode-no-findings", `Veracode scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date()));
 	let title;
 	const staticAnalysis = report["static-analysis"];
 	if (staticAnalysis) {
@@ -5829,7 +6567,6 @@ async function convertVeracodeToHdf(input) {
 		version: attr(report, "policy_version"),
 		summary: attr(report, "policy_name")
 	});
-	const targetName = attr(report, "app_name") || "Veracode Application";
 	const timestamp = parseVeracodeTimestamp(firstBuildDate);
 	return buildHdfResults({
 		generatorName: "veracode-to-hdf",
@@ -5839,7 +6576,7 @@ async function convertVeracodeToHdf(input) {
 		baselines: [baseline],
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		timestamp
 	});
@@ -5957,7 +6694,7 @@ async function convertMsftSecureScoreToHdf(input) {
 		}),
 		components: [{
 			name: `Azure Tenant: ${tenantId}`,
-			type: Copyright.CloudAccount,
+			type: TargetType.CloudAccount,
 			labels: {
 				account: tenantId,
 				provider: "azure"
@@ -5980,6 +6717,7 @@ async function convertMsftDefenderDevopsToHdf(input) {
 	const { components, runEnrichments } = extractEnrichments(raw);
 	const hdfJson = await convertSarifToHdf(input);
 	const result = JSON.parse(hdfJson);
+	synthesizeNoFindingsPlaceholders(result);
 	applyEnrichments(result, components, runEnrichments);
 	if (result.generator) result.generator.name = "msft-defender-devops-to-hdf";
 	if (result.tool) result.tool.name = "Microsoft Defender for DevOps";
@@ -5994,7 +6732,7 @@ function extractEnrichments(raw) {
 			seenRepos.add(vcp.repositoryUri);
 			const target = {
 				name: repoNameFromURI(vcp.repositoryUri),
-				type: Copyright.Repository,
+				type: TargetType.Repository,
 				url: vcp.repositoryUri,
 				labels: {}
 			};
@@ -6044,6 +6782,14 @@ function applyEnrichments(result, components, runEnrichments) {
 		}
 	}
 }
+function synthesizeNoFindingsPlaceholders(result) {
+	const startTime = result.timestamp ?? /* @__PURE__ */ new Date();
+	for (const baseline of result.baselines ?? []) {
+		if (baseline.requirements && baseline.requirements.length > 0) continue;
+		const tool = baseline.name;
+		baseline.requirements = [buildNoFindingsRequirement(`${tool}-no-findings`, `Microsoft Defender for DevOps scanner "${tool}" ran and reported zero findings.`, startTime)];
+	}
+}
 function repoNameFromURI(uri) {
 	const parts = uri.split("/");
 	return parts[parts.length - 1] || uri;
@@ -6140,21 +6886,23 @@ async function convertMsftDefenderCloudToHdf(input) {
 	}
 	const requirements = [];
 	for (const [assessmentID, assessments] of groups) requirements.push(buildRequirement(assessmentID, assessments));
+	const subscriptionID = limitedAssessments.length > 0 ? extractSubscriptionID(limitedAssessments[0].id) : "";
+	if (requirements.length === 0) {
+		const targetName = subscriptionID || "Unknown";
+		requirements.push(buildNoFindingsRequirement("msft-defender-cloud-no-findings", `Microsoft Defender for Cloud scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date()));
+	}
 	const baseline = createMinimalBaseline("Microsoft Defender for Cloud Assessments", requirements, { resultsChecksum });
 	const components = [];
-	if (limitedAssessments.length > 0) {
-		const subscriptionID = extractSubscriptionID(limitedAssessments[0].id);
-		if (subscriptionID) components.push({
-			name: `Azure Subscription ${subscriptionID}`,
-			type: Copyright.CloudAccount,
-			accountId: subscriptionID,
-			provider: "azure",
-			labels: {
-				account: subscriptionID,
-				provider: "azure"
-			}
-		});
-	}
+	if (subscriptionID) components.push({
+		name: `Azure Subscription ${subscriptionID}`,
+		type: TargetType.CloudAccount,
+		accountId: subscriptionID,
+		provider: "azure",
+		labels: {
+			account: subscriptionID,
+			provider: "azure"
+		}
+	});
 	return buildHdfResults({
 		generatorName: "msft-defender-cloud-to-hdf",
 		converterVersion: "1.0.0",
@@ -6229,7 +6977,7 @@ function extractDeviceTarget(alert) {
 		for (const ev of alert.evidence) if ((ev["@odata.type"] ?? "").includes("deviceEvidence") && ev.deviceDnsName) {
 			const target = {
 				name: ev.deviceDnsName,
-				type: Copyright.Host,
+				type: TargetType.Host,
 				labels: { provider: "azure" }
 			};
 			if (ev.deviceDnsName) target.fqdn = ev.deviceDnsName;
@@ -6239,7 +6987,7 @@ function extractDeviceTarget(alert) {
 	}
 	return {
 		name: alert.tenantId ?? "unknown",
-		type: Copyright.CloudAccount,
+		type: TargetType.CloudAccount,
 		accountId: alert.tenantId,
 		labels: {
 			account: alert.tenantId ?? "",
@@ -6308,6 +7056,7 @@ async function convertMsftDefenderEndpointToHdf(input) {
 			components.push(target);
 		}
 	}
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("msft-defender-endpoint-no-findings", "Microsoft Defender for Endpoint scanned the tenant and reported zero findings.", /* @__PURE__ */ new Date()));
 	return buildHdfResults({
 		generatorName: "msft-defender-endpoint-to-hdf",
 		converterVersion: "1.0.0",
@@ -6448,8 +7197,7 @@ function buildTestResultObj(hdfData, baseline) {
 				[`${ATTR}idref`]: ruleIdRef,
 				result: wrap(hdfStatusToXccdf(result.status))
 			};
-			const startTime = typeof result.startTime === "string" ? result.startTime : result.startTime.toISOString();
-			rr[`${ATTR}time`] = startTime;
+			rr[`${ATTR}time`] = typeof result.startTime === "string" ? result.startTime : result.startTime.toISOString();
 			if (result.message) rr.message = wrap(result.message);
 			if (result.codeDesc) rr.check = {
 				[`${ATTR}system`]: "http://oval.mitre.org/XMLSchema/oval-definitions-5",
@@ -6879,7 +7627,7 @@ async function convertHdfToOscalPoam(input) {
 	return JSON.stringify(doc, null, 2);
 }
 /**
-* Converts parsed HdfAmendments to an OSCAL PlanOfActionAndMilestones.
+* Converts parsed HDFAmendments to an OSCAL PlanOfActionAndMilestones.
 */
 function amendmentsToPOAM(amendments) {
 	const now = (/* @__PURE__ */ new Date()).toISOString();
@@ -7079,6 +7827,1150 @@ async function convertIonchannelToHdf(input) {
 	});
 }
 //#endregion
+//#region shared/typescript/vex/mapping.ts
+/** Canonical VEX status across OpenVEX / CSAF / CycloneDX. */
+const VexStatus = {
+	NotAffected: "not_affected",
+	Affected: "affected",
+	Fixed: "fixed",
+	UnderInvestigation: "under_investigation"
+};
+/**
+* Map an ecosystem-specific status string to the canonical VexStatus.
+* Returns undefined for values without a clean mapping — caller should warn
+* and skip, not guess.
+*/
+function normalizeStatus(raw) {
+	switch (raw.trim().toLowerCase()) {
+		case "not_affected":
+		case "known_not_affected":
+		case "false_positive": return VexStatus.NotAffected;
+		case "affected":
+		case "known_affected":
+		case "exploitable": return VexStatus.Affected;
+		case "fixed":
+		case "first_fixed":
+		case "resolved":
+		case "resolved_with_pedigree": return VexStatus.Fixed;
+		case "under_investigation":
+		case "in_triage": return VexStatus.UnderInvestigation;
+		default: return;
+	}
+}
+/**
+* Map an ecosystem-specific justification string to the canonical HDF
+* Justification enum. Returns undefined for unknown values; callers SHOULD
+* log unknown values rather than silently dropping (the schema spec wants
+* pass-through, but practically we expect the enum to be extended when a
+* new vocabulary is integrated rather than carrying raw labels
+* indefinitely).
+*
+* The HDF Justification enum (v3.2.x) covers:
+*   - the original OpenVEX / CSAF VEX five values
+*   - CycloneDX-specific reachability values (requires_*, protected_*)
+*     that describe why a vulnerable code path is unreachable in the
+*     deployed configuration.
+*/
+function normalizeJustification(raw) {
+	switch (raw.trim().toLowerCase()) {
+		case "component_not_present":
+		case "code_not_present": return Justification.ComponentNotPresent;
+		case "vulnerable_code_not_present": return Justification.VulnerableCodeNotPresent;
+		case "vulnerable_code_not_in_execute_path":
+		case "code_not_reachable": return Justification.VulnerableCodeNotInExecutePath;
+		case "vulnerable_code_cannot_be_controlled_by_adversary": return Justification.VulnerableCodeCannotBeControlledByAdversary;
+		case "inline_mitigations_already_exist":
+		case "protected_by_mitigating_control": return Justification.InlineMitigationsAlreadyExist;
+		case "requires_configuration": return Justification.RequiresConfiguration;
+		case "requires_dependency": return Justification.RequiresDependency;
+		case "requires_environment": return Justification.RequiresEnvironment;
+		case "protected_by_compiler": return Justification.ProtectedByCompiler;
+		case "protected_at_runtime": return Justification.ProtectedAtRuntime;
+		case "protected_at_perimeter": return Justification.ProtectedAtPerimeter;
+		default: return;
+	}
+}
+/**
+* Render an HDF Justification value as the CycloneDX-native vocabulary.
+* CycloneDX uses short-form names (code_not_present, code_not_reachable,
+* protected_by_mitigating_control) for the three justifications shared
+* with OpenVEX/CSAF, and shares the six CycloneDX-specific reachability
+* values verbatim.
+*
+* Returns undefined when the HDF value has no equivalent in CycloneDX's
+* enum (vulnerable_code_not_present and
+* vulnerable_code_cannot_be_controlled_by_adversary). Callers should
+* omit the justification field in that case.
+*/
+function justificationForCycloneDX(j) {
+	switch (j) {
+		case Justification.ComponentNotPresent: return "code_not_present";
+		case Justification.VulnerableCodeNotInExecutePath: return "code_not_reachable";
+		case Justification.InlineMitigationsAlreadyExist: return "protected_by_mitigating_control";
+		case Justification.RequiresConfiguration:
+		case Justification.RequiresDependency:
+		case Justification.RequiresEnvironment:
+		case Justification.ProtectedByCompiler:
+		case Justification.ProtectedAtRuntime:
+		case Justification.ProtectedAtPerimeter: return String(j);
+		default: return;
+	}
+}
+/**
+* Return the amendment shape an importer should produce for a canonical VEX
+* status. Returns undefined for "affected" and "under_investigation" — those
+* are informational; the consumer creates an amendment later if they act.
+*/
+function importTargetFor(status) {
+	switch (status) {
+		case VexStatus.NotAffected: return {
+			overrideType: OverrideType.FalsePositive,
+			status: ResultStatus.Passed,
+			setJustification: true,
+			poamActionTemplate: ""
+		};
+		case VexStatus.Fixed: return {
+			overrideType: OverrideType.Poam,
+			status: ResultStatus.Failed,
+			setJustification: false,
+			poamActionTemplate: "vendor reports fix; apply and re-scan to verify"
+		};
+		case VexStatus.Affected:
+		case VexStatus.UnderInvestigation: return;
+		/* c8 ignore next 2 — every VexStatus has a case above */
+		default: return;
+	}
+}
+/**
+* Return the canonical VEX status an exporter should emit for an HDF
+* override. Returns undefined when no VEX statement should be emitted —
+* the consumer has not acted, and VEX requires a deliberate statement.
+*
+* `allMilestonesCompleted` and `closureChained` are consulted only for
+* POA&M overrides. Closure is signalled by BOTH flags being true; either
+* alone is insufficient.
+*/
+function exportStatusFor(override, allMilestonesCompleted, closureChained) {
+	if (!override) return;
+	if (override.justification) return VexStatus.NotAffected;
+	switch (override.type) {
+		case OverrideType.FalsePositive:
+		case OverrideType.Attestation:
+		case OverrideType.Inherited: return VexStatus.NotAffected;
+		case OverrideType.Waiver:
+		case OverrideType.RiskAdjustment:
+		case OverrideType.OperationalRequirement: return VexStatus.Affected;
+		case OverrideType.Poam: return allMilestonesCompleted && closureChained ? VexStatus.Fixed : VexStatus.Affected;
+		/* c8 ignore next 2 — every OverrideType has a case above */
+		default: return;
+	}
+}
+const ECOSYSTEM_FROM_PURL_TYPE = {
+	npm: Ecosystem.Npm,
+	pypi: Ecosystem.Pypi,
+	rpm: Ecosystem.RPM,
+	deb: Ecosystem.Deb,
+	maven: Ecosystem.Maven,
+	gem: Ecosystem.Gem,
+	nuget: Ecosystem.Nuget,
+	golang: Ecosystem.Go,
+	go: Ecosystem.Go,
+	cargo: Ecosystem.Cargo
+};
+/**
+* Build an AffectedPackage from a single product identifier string emitted
+* by a VEX format. Recognizes PURLs and CPE 2.3 strings; returns undefined
+* for opaque identifiers (importer should drop the entry — schema additions
+* forbid fabricating name+version).
+*/
+function affectedPackageFromIdentifier(identifier) {
+	if (!identifier) return void 0;
+	if (identifier.startsWith("pkg:")) {
+		const parsed = parsePurl(identifier);
+		if (parsed) {
+			const pkg = { purl: identifier };
+			/* c8 ignore next 2 — parsePurl populates name/version when the
+			identifier was a well-formed purl; the absent branches require a
+			malformed-but-prefixed input that loses these fields without
+			triggering the outer null return. Defensive. */
+			if (parsed.name) pkg.name = parsed.name;
+			if (parsed.version) pkg.version = parsed.version;
+			pkg.ecosystem = ECOSYSTEM_FROM_PURL_TYPE[parsed.type] ?? Ecosystem.Generic;
+			return pkg;
+		}
+		return { purl: identifier };
+	}
+	if (identifier.startsWith("cpe:2.3:")) return { cpe: identifier };
+}
+/**
+* Build a unique list of AffectedPackage entries from a sequence of product
+* identifier strings. Empty / unresolvable identifiers are dropped; duplicate
+* purls/cpes/names are collapsed.
+*/
+function affectedPackagesFromIdentifiers(identifiers) {
+	const out = [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const id of identifiers) {
+		const pkg = affectedPackageFromIdentifier(id);
+		if (!pkg) continue;
+		/* c8 ignore next — affectedPackageFromIdentifier always emits either
+		purl or cpe, so the name fallback branch isn't reachable through
+		this caller. Kept for safety if a hand-built AffectedPackage flows
+		through a future caller. */
+		const key = pkg.purl ?? pkg.cpe ?? `${pkg.name ?? ""}@${pkg.version ?? ""}`;
+		if (seen.has(key)) continue;
+		seen.add(key);
+		out.push(pkg);
+	}
+	return out;
+}
+/**
+* Render an AffectedPackage as a single identifier string suitable for
+* round-tripping into a VEX format. Prefers purl > cpe > name@version.
+* Returns undefined when nothing identifying is set.
+*/
+function affectedPackageToIdentifier(pkg) {
+	if (pkg.purl) return pkg.purl;
+	if (pkg.cpe) return pkg.cpe;
+	if (pkg.name && pkg.version) return `${pkg.name}@${pkg.version}`;
+	if (pkg.name) return pkg.name;
+}
+/**
+* Build an HDF Evidence entry pointing at the upstream VEX document. Used by
+* importers to preserve provenance even though we lose the structured
+* statement_id. Returns undefined when sourceURI is empty — don't fabricate.
+*/
+function supplierEvidence(sourceURI, description) {
+	if (!sourceURI.trim()) return;
+	return {
+		type: EvidenceType.URL,
+		data: sourceURI,
+		description: description?.trim() ? description : "Upstream VEX statement"
+	};
+}
+//#endregion
+//#region converters/openvex-to-hdf/typescript/converter.ts
+/**
+* OpenVEX to HDF Amendments converter.
+*
+* VEX statements are consumer-attached context for CVE findings. The act of
+* attaching IS the amendment, so this converter emits HDF Amendments rather
+* than HDF Results.
+*
+* VEX 'fixed' is an abstract supplier claim; the assessed system has not
+* been verified to carry the fix. Imports therefore become open POA&M
+* overrides (status pinned to failed pending re-scan), not status flips.
+*
+* Spec: https://github.com/openvex/spec
+*/
+/** One year in milliseconds. VEX statements are re-evaluated as new info
+*  arrives; one year is a defensive default consistent with the
+*  no-permanent-amendment rule on Standalone_Override. */
+const DEFAULT_EXPIRY_HORIZON_MS$2 = 365 * 24 * 60 * 60 * 1e3;
+async function convertOpenVexToHdf(input, converterVersion) {
+	validateInputSize(input, "openvex-to-hdf");
+	const doc = parseJSON(input);
+	const docTime = (doc.timestamp ? parseTimestamp(doc.timestamp) : null) ?? /* @__PURE__ */ new Date();
+	const overrides = [];
+	for (const stmt of doc.statements ?? []) {
+		const override = statementToOverride(stmt, doc, docTime);
+		if (override) overrides.push(override);
+	}
+	if (overrides.length === 0) throw new Error("openvex-to-hdf: VEX document contains no actionable statements (all 'affected' or 'under_investigation'); no amendment to write");
+	return {
+		name: doc.author ? `OpenVEX statements from ${doc.author}` : "OpenVEX statements",
+		description: `Imported VEX statements from ${truncateId(doc["@id"] ?? "")}`,
+		overrides,
+		appliedBy: identityFor$1(doc.author, doc.role),
+		generator: {
+			name: "openvex-to-hdf",
+			version: converterVersion
+		},
+		integrity: await inputIntegrity(input)
+	};
+}
+function statementToOverride(stmt, doc, docTime) {
+	const canonical = normalizeStatus(stmt.status ?? "");
+	if (!canonical) return void 0;
+	const target = importTargetFor(canonical);
+	if (!target) return void 0;
+	const requirementId = stmt.vulnerability?.name ?? stmt.vulnerability?.["@id"] ?? "";
+	if (!requirementId) return void 0;
+	const stmtTime = (stmt.timestamp ? parseTimestamp(stmt.timestamp) : null) ?? docTime;
+	const author = stmt.author ?? doc.author ?? "";
+	const expiresAt = new Date(stmtTime.getTime() + DEFAULT_EXPIRY_HORIZON_MS$2);
+	const override = {
+		type: target.overrideType,
+		requirementId,
+		appliedAt: stmtTime,
+		expiresAt,
+		appliedBy: identityFor$1(author, doc.role),
+		reason: buildReason$2(stmt, target.poamActionTemplate)
+	};
+	const affectedPackages = affectedPackagesFromIdentifiers((stmt.products ?? []).map((p) => p["@id"]).filter((id) => Boolean(id)));
+	if (affectedPackages.length > 0) override.affectedPackages = affectedPackages;
+	if (target.status !== void 0) override.status = target.status;
+	if (target.setJustification && stmt.justification) {
+		const j = normalizeJustification(stmt.justification);
+		if (j) override.justification = j;
+	}
+	const ev = supplierEvidence(doc["@id"] ?? "", "OpenVEX document");
+	if (ev) override.evidence = [ev];
+	if (target.overrideType === OverrideType.Poam) override.milestones = [{
+		description: target.poamActionTemplate,
+		status: MilestoneStatus.Pending,
+		estimatedCompletion: expiresAt
+	}];
+	return override;
+}
+function buildReason$2(stmt, poamTemplate) {
+	const parts = [];
+	if (stmt.impact_statement) parts.push(stmt.impact_statement);
+	if (stmt.action_statement) parts.push(stmt.action_statement);
+	if (parts.length === 0) return poamTemplate || `Imported from OpenVEX status "${stmt.status ?? ""}"`;
+	return parts.join("\n");
+}
+function identityFor$1(author, role) {
+	if (!author) return {
+		type: IdentityType.System,
+		identifier: "openvex-import"
+	};
+	const id = {
+		type: author.includes("@") ? IdentityType.Email : IdentityType.Simple,
+		identifier: author
+	};
+	if (role) id.description = role;
+	return id;
+}
+function truncateId(id) {
+	const MAX = 80;
+	return id.length <= MAX ? id : `${id.slice(0, MAX)}...`;
+}
+//#endregion
+//#region converters/csaf-vex-to-hdf/typescript/converter.ts
+/**
+* CSAF VEX to HDF Amendments converter.
+*
+* CSAF (OASIS Common Security Advisory Framework) VEX profile is the
+* vendor-advisory format. Per the amendment-output pattern (Step 4f),
+* 'fixed' becomes an open POA&M, not a status flip — supplier claim is
+* not assessed-system evidence.
+*
+* Spec: https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html
+*/
+const DEFAULT_EXPIRY_HORIZON_MS$1 = 365 * 24 * 60 * 60 * 1e3;
+async function convertCsafVexToHdf(input, converterVersion) {
+	validateInputSize(input, "csaf-vex-to-hdf");
+	const doc = parseJSON(input);
+	if (doc.document?.category !== "csaf_vex") throw new Error(`csaf-vex-to-hdf: document.category is ${JSON.stringify(doc.document?.category)}; only 'csaf_vex' is supported`);
+	const dm = doc.document;
+	const tracking = dm.tracking ?? {};
+	const publisher = dm.publisher ?? {};
+	const docTime = (tracking.current_release_date ? parseTimestamp(tracking.current_release_date) : null) ?? /* @__PURE__ */ new Date();
+	const productLookup = buildProductLookup$1(doc.product_tree);
+	const overrides = [];
+	for (const v of doc.vulnerabilities ?? []) overrides.push(...vulnerabilityToOverrides(v, publisher, tracking, docTime, productLookup));
+	if (overrides.length === 0) throw new Error("csaf-vex-to-hdf: CSAF VEX document contains no actionable statements (only affected/under_investigation/recommended); no amendment to write");
+	const publisherName = publisher.name ?? "";
+	return {
+		name: publisherName ? `CSAF VEX statements from ${publisherName}` : "CSAF VEX statements",
+		description: `Imported VEX advisory ${tracking.id ?? ""}`,
+		overrides,
+		appliedBy: identityFor(publisher),
+		generator: {
+			name: "csaf-vex-to-hdf",
+			version: converterVersion
+		},
+		integrity: await inputIntegrity(input),
+		version: tracking.version
+	};
+}
+function vulnerabilityToOverrides(vuln, publisher, tracking, docTime, productLookup) {
+	if (!vuln.cve) return [];
+	const ps = vuln.product_status;
+	if (!ps) return [];
+	const out = [];
+	if (ps.known_not_affected?.length) {
+		const o = buildOverride(vuln, publisher, tracking, docTime, VexStatus.NotAffected, ps.known_not_affected, productLookup);
+		if (o) out.push(o);
+	}
+	const fixedProducts = [...ps.fixed ?? [], ...ps.first_fixed ?? []];
+	if (fixedProducts.length > 0) {
+		const o = buildOverride(vuln, publisher, tracking, docTime, VexStatus.Fixed, fixedProducts, productLookup);
+		if (o) out.push(o);
+	}
+	return out;
+}
+function buildOverride(vuln, publisher, tracking, docTime, canonical, products, productLookup) {
+	const target = importTargetFor(canonical);
+	if (!target) return void 0;
+	const expiresAt = new Date(docTime.getTime() + DEFAULT_EXPIRY_HORIZON_MS$1);
+	const override = {
+		type: target.overrideType,
+		requirementId: vuln.cve,
+		appliedAt: docTime,
+		expiresAt,
+		appliedBy: identityFor(publisher),
+		reason: buildReason$1(vuln, products)
+	};
+	const affectedPackages = resolveAffectedPackages(products, productLookup);
+	if (affectedPackages.length > 0) override.affectedPackages = affectedPackages;
+	if (target.status !== void 0) override.status = target.status;
+	if (target.setJustification) {
+		const j = pickJustification(vuln, products);
+		if (j) override.justification = j;
+	}
+	const evidence = [];
+	const advisoryEv = supplierEvidence(advisoryURI(publisher, tracking), "CSAF VEX advisory");
+	if (advisoryEv) evidence.push(advisoryEv);
+	for (const r of vuln.references ?? []) {
+		if (!r.url) continue;
+		const ev = supplierEvidence(r.url, r.summary ?? r.category ?? "");
+		if (ev) evidence.push(ev);
+	}
+	if (evidence.length > 0) override.evidence = evidence;
+	if (target.overrideType === OverrideType.Poam) override.milestones = [{
+		description: firstActionRemediation(vuln, products) || target.poamActionTemplate,
+		status: MilestoneStatus.Pending,
+		estimatedCompletion: expiresAt
+	}];
+	return override;
+}
+function pickJustification(vuln, products) {
+	const scope = new Set(products);
+	for (const f of vuln.flags ?? []) {
+		if (!overlap(f.product_ids ?? [], scope)) continue;
+		if (!f.label) continue;
+		const j = normalizeJustification(f.label);
+		if (j) return j;
+	}
+}
+function firstActionRemediation(vuln, products) {
+	const scope = new Set(products);
+	for (const r of vuln.remediations ?? []) {
+		const ids = r.product_ids;
+		if (ids && ids.length > 0 && !overlap(ids, scope)) continue;
+		if ((r.category === "vendor_fix" || r.category === "mitigation" || r.category === "workaround") && r.details) return r.details;
+	}
+	return "";
+}
+function buildReason$1(vuln, products) {
+	const parts = [];
+	const scope = new Set(products);
+	for (const n of vuln.notes ?? []) if (n.category === "description" && n.text) parts.push(n.text);
+	for (const t of vuln.threats ?? []) {
+		if (!t.details) continue;
+		const ids = t.product_ids;
+		if (ids && ids.length > 0 && !overlap(ids, scope)) continue;
+		parts.push(t.details);
+	}
+	if (parts.length === 0) return `Imported from CSAF VEX (${vuln.cve ?? "unknown CVE"})`;
+	return parts.join("\n");
+}
+/**
+* Walk a CSAF product_tree and build a lookup from product_id to a
+* structured AffectedPackage. Prefers product_identification_helper.purl,
+* then .cpe, then the full_product_name's `name` (used for matching only
+* — name+version is hard to derive from CSAF reliably, so we drop entries
+* with no purl and no cpe).
+*/
+function buildProductLookup$1(tree) {
+	const lookup = /* @__PURE__ */ new Map();
+	if (!tree) return lookup;
+	if (tree.full_product_names) for (const fp of tree.full_product_names) registerProduct(fp, lookup);
+	if (tree.branches) walkBranches(tree.branches, lookup);
+	return lookup;
+}
+function walkBranches(branches, lookup, ctx = {}) {
+	for (const b of branches) {
+		const next = { ...ctx };
+		/* c8 ignore next 2 — falsy branches require a malformed CSAF branch
+		node (category set but name empty) which we don't fixture. */
+		if (b.category === "product_name" && b.name) next.productName = b.name;
+		if (b.category === "product_version" && b.name) next.version = b.name;
+		if (b.product) registerProduct(b.product, lookup, next);
+		if (b.branches) walkBranches(b.branches, lookup, next);
+	}
+}
+function registerProduct(fp, lookup, ctx = {}) {
+	/* c8 ignore next — defensive against a malformed CSAF full_product_name
+	missing its required product_id field; not fixtured. */
+	if (!fp.product_id) return;
+	const helper = fp.product_identification_helper;
+	if (helper?.purl) {
+		const pkg = affectedPackageFromIdentifier(helper.purl);
+		/* c8 ignore next 4 — affectedPackageFromIdentifier always returns a
+		non-null value for an input that starts with 'pkg:' (preserves
+		malformed input as purl-only). The null branch is unreachable from
+		this callsite. */
+		if (pkg) {
+			lookup.set(fp.product_id, pkg);
+			return;
+		}
+	}
+	if (helper?.cpe) {
+		const pkg = affectedPackageFromIdentifier(helper.cpe);
+		/* c8 ignore next 4 — same as above; identifiers starting with
+		'cpe:2.3:' always produce a cpe-only AffectedPackage. */
+		if (pkg) {
+			lookup.set(fp.product_id, pkg);
+			return;
+		}
+	}
+	if (ctx.productName && ctx.version) lookup.set(fp.product_id, {
+		name: ctx.productName,
+		version: ctx.version,
+		ecosystem: Ecosystem.Generic
+	});
+}
+function resolveAffectedPackages(productIds, lookup) {
+	const out = [];
+	const seenKeys = /* @__PURE__ */ new Set();
+	for (const id of productIds) {
+		const pkg = lookup.get(id);
+		if (!pkg) continue;
+		const key = pkg.purl ?? pkg.cpe ?? `${pkg.name ?? ""}@${pkg.version ?? ""}`;
+		if (seenKeys.has(key)) continue;
+		seenKeys.add(key);
+		out.push(pkg);
+	}
+	return out;
+}
+function identityFor(p) {
+	if (!p.name) return {
+		type: IdentityType.System,
+		identifier: "csaf-vex-import"
+	};
+	const id = {
+		type: IdentityType.Simple,
+		identifier: p.name
+	};
+	if (p.category) id.description = p.category;
+	return id;
+}
+function advisoryURI(publisher, tracking) {
+	/* c8 ignore next */
+	const id = tracking.id ?? "";
+	const ns = publisher.namespace;
+	if (ns && id) return `${ns.replace(/\/+$/, "")}/${id}`;
+	return id;
+}
+function overlap(ids, scope) {
+	return ids.some((id) => scope.has(id));
+}
+//#endregion
+//#region converters/cyclonedx-vex-to-hdf/typescript/converter.ts
+/**
+* CycloneDX VEX to HDF Amendments converter.
+*
+* CycloneDX VEX is not a separate format — it's a CycloneDX BOM whose
+* vulnerabilities[] carry an `analysis` object. CycloneDX-specific
+* justifications without an HDF equivalent (requires_configuration,
+* protected_by_compiler, etc.) are preserved verbatim in the reason
+* field via the shared helper's unknown-value passthrough.
+*
+* Spec: https://cyclonedx.org/use-cases/#vulnerability-exploitability
+*/
+const DEFAULT_EXPIRY_HORIZON_MS = 365 * 24 * 60 * 60 * 1e3;
+async function convertCyclonedxVexToHdf(input, converterVersion) {
+	validateInputSize(input, "cyclonedx-vex-to-hdf");
+	const bom = parseJSON(input);
+	if (bom.bomFormat !== "CycloneDX") throw new Error(`cyclonedx-vex-to-hdf: bomFormat is ${JSON.stringify(bom.bomFormat)}; only 'CycloneDX' is supported`);
+	const docTime = (bom.metadata?.timestamp ? parseTimestamp(bom.metadata.timestamp) : null) ?? /* @__PURE__ */ new Date();
+	const productLookup = buildProductLookup(bom);
+	const publisher = publisherIdentityOrDefault(bom);
+	const overrides = [];
+	for (const v of bom.vulnerabilities ?? []) {
+		const o = vulnerabilityToOverride(v, productLookup, docTime, publisher);
+		if (o) overrides.push(o);
+	}
+	if (overrides.length === 0) throw new Error("cyclonedx-vex-to-hdf: BOM contains no actionable VEX statements (only exploitable/in_triage or no analysis); no amendment to write");
+	const publisherName = publisher.identifier;
+	return {
+		name: publisherName && publisherName !== "cyclonedx-vex-import" ? `CycloneDX VEX statements from ${publisherName}` : "CycloneDX VEX statements",
+		description: bom.serialNumber ? `Imported CycloneDX VEX ${bom.serialNumber}` : "Imported CycloneDX VEX",
+		overrides,
+		appliedBy: publisher,
+		generator: {
+			name: "cyclonedx-vex-to-hdf",
+			version: converterVersion
+		},
+		integrity: await inputIntegrity(input)
+	};
+}
+function vulnerabilityToOverride(v, productLookup, docTime, publisher) {
+	if (!v.id || !v.analysis?.state) return void 0;
+	const canonical = normalizeStatus(v.analysis.state);
+	if (!canonical) return void 0;
+	const target = importTargetFor(canonical);
+	if (!target) return void 0;
+	const affectedPackages = affectedPackagesForVuln(v, productLookup);
+	const expiresAt = new Date(docTime.getTime() + DEFAULT_EXPIRY_HORIZON_MS);
+	const override = {
+		type: target.overrideType,
+		requirementId: v.id,
+		appliedAt: docTime,
+		expiresAt,
+		appliedBy: publisher,
+		reason: buildReason(v)
+	};
+	if (affectedPackages.length > 0) override.affectedPackages = affectedPackages;
+	if (target.status !== void 0) override.status = target.status;
+	if (target.setJustification && v.analysis.justification) {
+		const j = normalizeJustification(v.analysis.justification);
+		if (j) override.justification = j;
+	}
+	const evidence = [];
+	if (v.source?.url) {
+		const ev = supplierEvidence(v.source.url, v.source.name ?? "");
+		if (ev) evidence.push(ev);
+	}
+	for (const r of v.references ?? []) {
+		if (!r.source?.url) continue;
+		const ev = supplierEvidence(r.source.url, r.source.name ?? "");
+		if (ev) evidence.push(ev);
+	}
+	if (evidence.length > 0) override.evidence = evidence;
+	if (target.overrideType === OverrideType.Poam) override.milestones = [{
+		description: firstActionFromResponse(v.analysis.response ?? []) || target.poamActionTemplate,
+		status: MilestoneStatus.Pending,
+		estimatedCompletion: expiresAt
+	}];
+	return override;
+}
+function buildReason(v) {
+	const parts = [];
+	if (v.description) parts.push(v.description);
+	if (v.analysis?.detail) parts.push(v.analysis.detail);
+	return parts.join("\n");
+}
+/**
+* Resolve CycloneDX affects[].ref entries to structured AffectedPackage
+* entries. Looks up the bom-ref in the component table to recover purl,
+* name/version. Opaque bom-refs with no component-table match are dropped
+* (the schema forbids fabricating name+version, and bom-refs aren't
+* portable identifiers outside their source BOM).
+*/
+function affectedPackagesForVuln(v, lookup) {
+	const out = [];
+	const seenKeys = /* @__PURE__ */ new Set();
+	for (const a of v.affects ?? []) {
+		if (!a.ref) continue;
+		const comp = lookup.get(a.ref);
+		const pkg = comp ? affectedPackageFromComponent(comp) : affectedPackageFromIdentifier(a.ref);
+		if (!pkg) continue;
+		const key = pkg.purl ?? pkg.cpe ?? `${pkg.name ?? ""}@${pkg.version ?? ""}`;
+		if (seenKeys.has(key)) continue;
+		seenKeys.add(key);
+		out.push(pkg);
+	}
+	return out;
+}
+/**
+* Build an AffectedPackage from a CycloneDX Component. Prefers structured
+* purl decomposition via the shared helper (so name/version/ecosystem are
+* also populated when the purl is parseable); falls back to the component's
+* name+version when no purl is set. Returns undefined when the component
+* carries neither a purl nor a name+version pair (schema requires at least
+* name+version+ecosystem, purl, or cpe).
+*/
+function affectedPackageFromComponent(c) {
+	if (c.purl) return affectedPackageFromIdentifier(c.purl);
+	if (c.name && c.version) return {
+		name: c.name,
+		version: c.version,
+		ecosystem: Ecosystem.Generic
+	};
+}
+function buildProductLookup(bom) {
+	const lookup = /* @__PURE__ */ new Map();
+	const root = bom.metadata?.component;
+	if (root?.["bom-ref"]) lookup.set(root["bom-ref"], root);
+	for (const c of bom.components ?? []) if (c["bom-ref"]) lookup.set(c["bom-ref"], c);
+	return lookup;
+}
+function firstActionFromResponse(resp) {
+	for (const r of resp) switch (r.trim().toLowerCase()) {
+		case "update": return "Apply vendor update and re-scan to verify.";
+		case "rollback": return "Roll back to the unaffected version and re-scan to verify.";
+		case "workaround_available": return "Apply the documented workaround.";
+	}
+	return "";
+}
+function publisherIdentityOrDefault(bom) {
+	for (const a of bom.metadata?.authors ?? []) {
+		if (a.email) return {
+			type: IdentityType.Email,
+			identifier: a.email
+		};
+		if (a.name) return {
+			type: IdentityType.Simple,
+			identifier: a.name
+		};
+	}
+	for (const t of bom.metadata?.tools ?? []) {
+		const ident = [t.vendor, t.name].filter(Boolean).join(" ").trim();
+		if (ident) return {
+			type: IdentityType.System,
+			identifier: ident
+		};
+	}
+	return {
+		type: IdentityType.System,
+		identifier: "cyclonedx-vex-import"
+	};
+}
+//#endregion
+//#region converters/hdf-to-csaf-vex/typescript/converter.ts
+/**
+* HDF Amendments to CSAF VEX (csaf_vex profile) converter.
+*
+* Reverse direction of csaf-vex-to-hdf. Intentionally partial-fidelity:
+* fields the shared VEX mapping considers consumer-action-bearing survive
+* round-trip; the rest collapse into the available CSAF fields.
+*/
+const CVE_ID_PATTERN$2 = /^CVE-\d{4}-\d{4,}$/;
+const PRODUCTS_LINE$2 = /^Products:\s*(.+)$/m;
+const DEFAULT_PRODUCT_ID$2 = "HDFPID-0001";
+function convertHdfToCsafVex(input, converterVersion) {
+	validateInputSize(input, "hdf-to-csaf-vex");
+	const amendments = parseJSON(input);
+	const groups = groupByCVE(amendments.overrides ?? []);
+	const productSet = /* @__PURE__ */ new Map();
+	const vulnerabilities = [];
+	for (const group of groups) {
+		const v = buildVulnerability(group);
+		if (!v) continue;
+		vulnerabilities.push(v);
+		for (const p of productIDsForGroup(group)) productSet.set(p, true);
+	}
+	if (vulnerabilities.length === 0) throw new Error("hdf-to-csaf-vex: no overrides with CVE-shaped requirementIds; nothing to emit");
+	const products = [...productSet.keys()].sort();
+	const doc = buildDocument(amendments, converterVersion);
+	doc.vulnerabilities = vulnerabilities;
+	doc.product_tree.full_product_names = products.length > 0 ? products.map((p) => ({
+		name: p,
+		product_id: p
+	})) : [{
+		name: DEFAULT_PRODUCT_ID$2,
+		product_id: DEFAULT_PRODUCT_ID$2
+	}];
+	return JSON.stringify(doc, null, 2);
+}
+function groupByCVE(overrides) {
+	const groups = /* @__PURE__ */ new Map();
+	for (const o of overrides) {
+		if (!CVE_ID_PATTERN$2.test(o.requirementId)) continue;
+		let g = groups.get(o.requirementId);
+		if (!g) {
+			g = {
+				cve: o.requirementId,
+				overrides: []
+			};
+			groups.set(o.requirementId, g);
+		}
+		g.overrides.push(o);
+	}
+	return [...groups.values()].sort((a, b) => a.cve.localeCompare(b.cve));
+}
+function productIDsForGroup(group) {
+	const seen = /* @__PURE__ */ new Set();
+	for (const o of group.overrides) for (const p of productIDsFor$1(o)) seen.add(p);
+	return [...seen].sort();
+}
+function productIDsFor$1(o) {
+	if (o.affectedPackages && o.affectedPackages.length > 0) {
+		const ids = o.affectedPackages.map((p) => affectedPackageToIdentifier(p)).filter((id) => Boolean(id));
+		if (ids.length > 0) return ids;
+	}
+	if (o.componentRef) return [o.componentRef];
+	const m = PRODUCTS_LINE$2.exec(o.reason ?? "");
+	if (m && m[1]) {
+		const parts = m[1].split(",").map((s) => s.trim()).filter(Boolean);
+		if (parts.length > 0) return parts;
+	}
+	return [DEFAULT_PRODUCT_ID$2];
+}
+function stripProductsLine$1(reason) {
+	return reason.replace(PRODUCTS_LINE$2, "").replace(/\n+$/, "");
+}
+function allMilestonesCompleted$2(o) {
+	if (!o.milestones || o.milestones.length === 0) return false;
+	return o.milestones.every((m) => m.status === MilestoneStatus.Completed);
+}
+function buildVulnerability(group) {
+	const v = { cve: group.cve };
+	const status = {};
+	let emitted = false;
+	for (const o of group.overrides) {
+		const pids = productIDsFor$1(o);
+		let canonical = exportStatusFor(o, allMilestonesCompleted$2(o), false);
+		if (!canonical) continue;
+		if (o.type === OverrideType.Poam && canonical === VexStatus.Affected && allMilestonesCompleted$2(o)) canonical = VexStatus.Fixed;
+		if (canonical === VexStatus.NotAffected) {
+			status.known_not_affected = (status.known_not_affected ?? []).concat(pids);
+			if (o.justification) {
+				v.flags = v.flags ?? [];
+				v.flags.push({
+					label: String(o.justification),
+					product_ids: pids,
+					date: new Date(o.appliedAt).toISOString().replace(/\.\d+Z$/, "Z")
+				});
+			}
+			emitted = true;
+		} else if (canonical === VexStatus.Fixed) {
+			status.fixed = (status.fixed ?? []).concat(pids);
+			for (const m of o.milestones ?? []) {
+				if (!m.description) continue;
+				v.remediations = v.remediations ?? [];
+				v.remediations.push({
+					category: "vendor_fix",
+					details: m.description,
+					product_ids: pids
+				});
+			}
+			emitted = true;
+		} else if (canonical === VexStatus.Affected) {
+			status.known_affected = (status.known_affected ?? []).concat(pids);
+			if (o.reason) {
+				v.threats = v.threats ?? [];
+				v.threats.push({
+					category: "impact",
+					details: stripProductsLine$1(o.reason),
+					product_ids: pids
+				});
+			}
+			if (o.type === OverrideType.Poam) for (const m of o.milestones ?? []) {
+				if (!m.description) continue;
+				v.remediations = v.remediations ?? [];
+				v.remediations.push({
+					category: "workaround",
+					details: m.description,
+					product_ids: pids
+				});
+			}
+			emitted = true;
+		}
+		for (const e of o.evidence ?? []) {
+			if (e.type !== "url" || !e.data) continue;
+			v.references = v.references ?? [];
+			v.references.push({
+				category: "external",
+				summary: e.description ?? "",
+				url: e.data
+			});
+		}
+	}
+	/* c8 ignore next */
+	if (!emitted) return void 0;
+	if (status.fixed) status.fixed = [...new Set(status.fixed)];
+	if (status.known_affected) status.known_affected = [...new Set(status.known_affected)];
+	if (status.known_not_affected) status.known_not_affected = [...new Set(status.known_not_affected)];
+	v.product_status = status;
+	if (v.references) {
+		const seen = /* @__PURE__ */ new Set();
+		v.references = v.references.filter((r) => {
+			if (seen.has(r.url)) return false;
+			seen.add(r.url);
+			return true;
+		});
+	}
+	return v;
+}
+function buildDocument(amendments, converterVersion) {
+	const now = (/* @__PURE__ */ new Date()).toISOString().replace(/\.\d+Z$/, "Z");
+	const publisherName = amendments.appliedBy?.identifier || "HDF Amendments Export";
+	const trackingId = amendments.amendmentId || "HDF-VEX-EXPORT";
+	const docVersion = amendments.version || "1";
+	const title = amendments.name || "HDF Amendments exported as CSAF VEX";
+	const notes = [];
+	if (amendments.description) notes.push({
+		category: "summary",
+		text: amendments.description,
+		title: "Description"
+	});
+	return {
+		document: {
+			category: "csaf_vex",
+			csaf_version: "2.0",
+			title,
+			notes,
+			publisher: {
+				category: "other",
+				name: publisherName
+			},
+			tracking: {
+				id: trackingId,
+				status: "final",
+				version: docVersion,
+				current_release_date: now,
+				initial_release_date: now,
+				revision_history: [{
+					date: now,
+					number: docVersion,
+					summary: "Generated by hdf-to-csaf-vex from HDF Amendments."
+				}],
+				generator: {
+					engine: {
+						name: "hdf-to-csaf-vex",
+						version: converterVersion
+					},
+					date: now
+				}
+			}
+		},
+		product_tree: { full_product_names: [] },
+		vulnerabilities: []
+	};
+}
+//#endregion
+//#region converters/hdf-to-openvex/typescript/converter.ts
+/**
+* HDF Amendments to OpenVEX converter.
+*
+* Reverse direction of openvex-to-hdf. Step 4f amendment-output pattern,
+* partial-fidelity by design — consumer-action-bearing fields (CVE id,
+* status, justification) survive round-trip; the rest collapse.
+*/
+const CVE_ID_PATTERN$1 = /^CVE-\d{4}-\d{4,}$/;
+const PRODUCTS_LINE$1 = /^Products:\s*(.+)$/m;
+const OPENVEX_CONTEXT = "https://openvex.dev/ns/v0.2.0";
+const OPENVEX_NAMESPACE = "https://openvex.dev/docs/public/";
+const DEFAULT_PRODUCT_ID$1 = "HDFPID-0001";
+async function convertHdfToOpenVex(input, converterVersion) {
+	validateInputSize(input, "hdf-to-openvex");
+	const amendments = parseJSON(input);
+	const statements = [];
+	let earliest;
+	for (const o of amendments.overrides ?? []) {
+		const s = overrideToStatement(o);
+		if (!s) continue;
+		statements.push(s);
+		const t = new Date(o.appliedAt);
+		if (!earliest || t < earliest) earliest = t;
+	}
+	if (statements.length === 0) throw new Error("hdf-to-openvex: no overrides with CVE-shaped requirementIds; nothing to emit");
+	statements.sort((a, b) => a.vulnerability.name.localeCompare(b.vulnerability.name));
+	const author = amendments.appliedBy?.identifier || "HDF Amendments Export";
+	const role = amendments.appliedBy?.description;
+	const doc = {
+		"@context": OPENVEX_CONTEXT,
+		"@id": await buildDocumentID(input, amendments),
+		author,
+		role,
+		timestamp: (earliest ?? /* @__PURE__ */ new Date()).toISOString().replace(/\.\d+Z$/, "Z"),
+		version: 1,
+		statements
+	};
+	return JSON.stringify(doc, null, 2);
+}
+function overrideToStatement(o) {
+	if (!CVE_ID_PATTERN$1.test(o.requirementId)) return void 0;
+	let canonical = exportStatusFor(o, allMilestonesCompleted$1(o), false);
+	if (!canonical) return void 0;
+	if (o.type === OverrideType.Poam && canonical === VexStatus.Affected && allMilestonesCompleted$1(o)) canonical = VexStatus.Fixed;
+	const stmt = {
+		vulnerability: {
+			name: o.requirementId,
+			"@id": `https://nvd.nist.gov/vuln/detail/${o.requirementId}`
+		},
+		status: String(canonical),
+		timestamp: new Date(o.appliedAt).toISOString().replace(/\.\d+Z$/, "Z"),
+		products: productsFor(o)
+	};
+	if (canonical === VexStatus.NotAffected) {
+		if (o.justification) stmt.justification = String(o.justification);
+		const impact = stripProductsLine(o.reason ?? "");
+		if (impact) stmt.impact_statement = impact;
+	} else if (canonical === VexStatus.Fixed) stmt.action_statement = firstMilestoneAction(o) || "Fix applied; consumer re-scan confirmed clean.";
+	else if (canonical === VexStatus.Affected) stmt.action_statement = firstMilestoneAction(o) || stripProductsLine(o.reason ?? "");
+	return stmt;
+}
+function productsFor(o) {
+	if (o.affectedPackages && o.affectedPackages.length > 0) {
+		const ids = o.affectedPackages.map((p) => affectedPackageToIdentifier(p)).filter((id) => Boolean(id));
+		if (ids.length > 0) return ids.map((id) => ({ "@id": id }));
+	}
+	let ids = [];
+	if (o.componentRef) ids = [o.componentRef];
+	else {
+		const m = PRODUCTS_LINE$1.exec(o.reason ?? "");
+		if (m && m[1]) ids = m[1].split(",").map((s) => s.trim()).filter(Boolean);
+	}
+	if (ids.length === 0) ids = [DEFAULT_PRODUCT_ID$1];
+	return ids.map((id) => ({ "@id": id }));
+}
+function firstMilestoneAction(o) {
+	for (const m of o.milestones ?? []) if (m.description) return m.description;
+	return "";
+}
+function allMilestonesCompleted$1(o) {
+	if (!o.milestones || o.milestones.length === 0) return false;
+	return o.milestones.every((m) => m.status === MilestoneStatus.Completed);
+}
+function stripProductsLine(reason) {
+	return reason.replace(PRODUCTS_LINE$1, "").replace(/\n+$/, "");
+}
+async function buildDocumentID(input, a) {
+	if (a.amendmentId) return `${OPENVEX_NAMESPACE}vex-${a.amendmentId}`;
+	return `${OPENVEX_NAMESPACE}vex-${await sha256(input)}`;
+}
+//#endregion
+//#region converters/hdf-to-cyclonedx-vex/typescript/converter.ts
+/**
+* HDF Amendments to CycloneDX VEX converter (export side).
+*
+* Reverse direction of cyclonedx-vex-to-hdf. Step 4f amendment-output
+* pattern, partial-fidelity by design — consumer-action-bearing fields
+* (CVE id, status, justification) survive round-trip; the rest collapse
+* into the available CycloneDX VEX fields.
+*/
+const CVE_ID_PATTERN = /^CVE-\d{4}-\d{4,}$/;
+const PRODUCTS_LINE = /^Products:\s*(.+)$/m;
+const RAW_JUST_LINE = /^VEX justification:\s*(.+)$/m;
+const RESPONSE_LINE = /^Response:.*$/gm;
+const DEFAULT_PRODUCT_ID = "HDFPID-0001";
+function convertHdfToCyclonedxVex(input, converterVersion) {
+	validateInputSize(input, "hdf-to-cyclonedx-vex");
+	const amendments = parseJSON(input);
+	const componentRegistry = /* @__PURE__ */ new Map();
+	const vulnerabilities = [];
+	let earliest;
+	for (const o of amendments.overrides ?? []) {
+		if (!CVE_ID_PATTERN.test(o.requirementId)) continue;
+		const v = overrideToVulnerability(o, componentRegistry);
+		if (!v) continue;
+		vulnerabilities.push(v);
+		const t = new Date(o.appliedAt);
+		if (!earliest || t < earliest) earliest = t;
+	}
+	if (vulnerabilities.length === 0) throw new Error("hdf-to-cyclonedx-vex: no overrides with CVE-shaped requirementIds; nothing to emit");
+	vulnerabilities.sort((a, b) => a.id.localeCompare(b.id));
+	const components = [...componentRegistry.values()].sort((a, b) => a["bom-ref"].localeCompare(b["bom-ref"]));
+	const bom = {
+		bomFormat: "CycloneDX",
+		specVersion: "1.4",
+		serialNumber: buildSerialNumberSync(input, amendments),
+		version: 1,
+		metadata: buildMetadata(amendments, earliest ?? /* @__PURE__ */ new Date(), converterVersion),
+		components,
+		vulnerabilities
+	};
+	return JSON.stringify(bom, null, 2);
+}
+function overrideToVulnerability(o, componentRegistry) {
+	let canonical = exportStatusFor(o, allMilestonesCompleted(o), false);
+	if (!canonical) return void 0;
+	if (o.type === OverrideType.Poam && canonical === VexStatus.Affected && allMilestonesCompleted(o)) canonical = VexStatus.Fixed;
+	const pids = productIDsFor(o);
+	const pkgById = /* @__PURE__ */ new Map();
+	for (const p of o.affectedPackages ?? []) {
+		const id = affectedPackageToIdentifier(p);
+		if (id) pkgById.set(id, p);
+	}
+	for (const pid of pids) componentRegistry.set(pid, componentFor(pid, pkgById.get(pid)));
+	const analysis = { state: canonicalToCycloneDXState(canonical) };
+	if (o.justification) {
+		const cdxJust = justificationForCycloneDX(o.justification);
+		if (cdxJust) analysis.justification = cdxJust;
+	}
+	const detail = stripReasonAnnotations(o.reason ?? "");
+	if (detail) analysis.detail = detail;
+	if (canonical === VexStatus.Fixed) analysis.response = ["update"];
+	else if (canonical === VexStatus.Affected && o.type === OverrideType.Poam) analysis.response = ["workaround_available"];
+	const v = {
+		id: o.requirementId,
+		source: {
+			name: "NVD",
+			url: `https://nvd.nist.gov/vuln/detail/${o.requirementId}`
+		},
+		analysis,
+		affects: pids.map((p) => ({ ref: p }))
+	};
+	for (const e of o.evidence ?? []) {
+		if (e.type !== "url" || !e.data) continue;
+		v.references = v.references ?? [];
+		v.references.push({
+			id: o.requirementId,
+			source: {
+				name: e.description ?? "",
+				url: e.data
+			}
+		});
+	}
+	return v;
+}
+function canonicalToCycloneDXState(canonical) {
+	switch (canonical) {
+		case VexStatus.NotAffected: return "not_affected";
+		case VexStatus.Fixed: return "resolved";
+		case VexStatus.Affected: return "exploitable";
+		/* c8 ignore next 2 — defensive: every VexStatus has a case above */
+		default: return canonical;
+	}
+}
+function componentFor(pid, pkg) {
+	const c = {
+		type: "application",
+		name: pkg?.name ?? pid,
+		"bom-ref": pid
+	};
+	if (pkg?.version) c.version = pkg.version;
+	if (pkg?.purl ?? (pid.startsWith("pkg:") ? pid : void 0)) c.purl = pkg?.purl ?? pid;
+	if (pkg?.cpe ?? (pid.startsWith("cpe:2.3:") ? pid : void 0)) c.cpe = pkg?.cpe ?? pid;
+	return c;
+}
+function productIDsFor(o) {
+	if (o.affectedPackages && o.affectedPackages.length > 0) {
+		const ids = o.affectedPackages.map((p) => affectedPackageToIdentifier(p)).filter((id) => Boolean(id));
+		if (ids.length > 0) return ids;
+	}
+	if (o.componentRef) return [o.componentRef];
+	const m = PRODUCTS_LINE.exec(o.reason ?? "");
+	if (m && m[1]) {
+		const parts = m[1].split(",").map((s) => s.trim()).filter(Boolean);
+		if (parts.length > 0) return parts;
+	}
+	return [DEFAULT_PRODUCT_ID];
+}
+function stripReasonAnnotations(reason) {
+	return reason.replace(PRODUCTS_LINE, "").replace(RAW_JUST_LINE, "").replace(RESPONSE_LINE, "").trim();
+}
+function allMilestonesCompleted(o) {
+	if (!o.milestones || o.milestones.length === 0) return false;
+	return o.milestones.every((m) => m.status === MilestoneStatus.Completed);
+}
+function buildMetadata(a, docTime, converterVersion) {
+	const metadata = {
+		timestamp: docTime.toISOString().replace(/\.\d+Z$/, "Z"),
+		tools: [{
+			vendor: "mitre",
+			name: "hdf-to-cyclonedx-vex",
+			version: converterVersion
+		}]
+	};
+	if (a.appliedBy?.identifier) {
+		const author = {};
+		if (a.appliedBy.type === IdentityType.Email) author.email = a.appliedBy.identifier;
+		else author.name = a.appliedBy.identifier;
+		metadata.authors = [author];
+	}
+	return metadata;
+}
+function buildSerialNumberSync(input, a) {
+	if (a.amendmentId) return `urn:uuid:${a.amendmentId}`;
+	return `urn:uuid:${fnv1a(input)}`;
+}
+function fnv1a(s) {
+	let h = 2166136261;
+	for (let i = 0; i < s.length; i++) {
+		h ^= s.charCodeAt(i);
+		h = Math.imul(h, 16777619) >>> 0;
+	}
+	const d = h.toString(16).padStart(8, "0");
+	return (d + d + d + d).slice(0, 32);
+}
+//#endregion
 //#region converters/oscal-to-hdf/typescript/detect.ts
 /**
 * OSCAL document type detection.
@@ -7167,7 +9059,7 @@ async function catalogToBaseline(catalog, rawInput) {
 		requirements,
 		groups,
 		generator: {
-			name: "hdf-converters",
+			name: "oscal-catalog-to-hdf",
 			version: "1.0.0"
 		}
 	};
@@ -7410,7 +9302,7 @@ async function convertOscalComponentToHdf(input) {
 		integrity,
 		requirements,
 		generator: {
-			name: "hdf-converters",
+			name: "oscal-component-to-hdf",
 			version: "1.0.0"
 		}
 	};
@@ -7471,7 +9363,7 @@ async function convertOscalSspToHdf(input) {
 		integrity,
 		components: [],
 		generator: {
-			name: "hdf-converters",
+			name: "oscal-ssp-to-hdf",
 			version: "1.0.0"
 		}
 	};
@@ -7598,13 +9490,13 @@ function sspComponentToHDFComponent(sc, componentControls) {
 function mapOSCALComponentType(oscalType) {
 	switch (oscalType.toLowerCase()) {
 		case "software":
-		case "this-system": return BoundaryDescription.Application;
-		case "service": return BoundaryDescription.Application;
-		case "hardware": return BoundaryDescription.Host;
-		case "network": return BoundaryDescription.Network;
-		case "database": return BoundaryDescription.Database;
-		case "storage": return BoundaryDescription.Artifact;
-		default: return BoundaryDescription.Application;
+		case "this-system": return TargetType.Application;
+		case "service": return TargetType.Application;
+		case "hardware": return TargetType.Host;
+		case "network": return TargetType.Network;
+		case "database": return TargetType.Database;
+		case "storage": return TargetType.Artifact;
+		default: return TargetType.Application;
 	}
 }
 //#endregion
@@ -7641,7 +9533,7 @@ async function convertOscalSapToHdf(input) {
 		type: planType,
 		description,
 		generator: {
-			name: "hdf-converters",
+			name: "oscal-sap-to-hdf",
 			version: "1.0.0"
 		}
 	};
@@ -7771,7 +9663,7 @@ async function convertOscalPoamToHdf(input) {
 		version: meta.version,
 		appliedBy,
 		generator: {
-			name: "hdf-converters",
+			name: "oscal-poam-to-hdf",
 			version: "1.0.0"
 		}
 	};
@@ -8084,6 +9976,6 @@ function sarBaselineName(result, sar) {
 	return toKebabCase(result.title || sar.metadata.title, "oscal-assessment-results");
 }
 //#endregion
-export { convertAwsConfigToHdf, convertBurpsuiteToHdf, convertCheckovToHdf, convertCklToHdf, convertCklbToHdf, convertConveyorToHdf, convertCyclonedxToHdf, convertDbprotectToHdf, convertDeptrackToHdf, convertFortifyToHdf, convertGitlabToHdf, convertGosecToHdf, convertGrypeToHdf, convertHdfToCkl, convertHdfToCklb, convertHdfToCsv, convertHdfToOscalPoam, convertHdfToOscalSar, convertHdfToXccdf, convertHdfToXml, convertIonchannelToHdf, convertJfrogXrayToHdf, convertJunitToHdf, convertMsftDefenderCloudToHdf, convertMsftDefenderDevopsToHdf, convertMsftDefenderEndpointToHdf, convertMsftSecureScoreToHdf, convertNessusToHdf, convertNetsparkerToHdf, convertNeuvectorToHdf, convertNiktoToHdf, convertOscalCatalogToHdf, convertOscalComponentToHdf, convertOscalPoamToHdf, convertOscalProfileToHdf, convertOscalSapToHdf, convertOscalSarToHdf, convertOscalSspToHdf, convertPrismaToHdf, convertSarifToHdf, convertScoutsuiteToHdf, convertSnykToHdf, convertSonarqubeToHdf, convertSplunkToHdf, convertTrufflehogToHdf, convertTwistlockToHdf, convertV1ToV2, convertVeracodeToHdf, convertXccdfResultsToHdf, convertZapToHdf, detectOscalDocumentType, isHDFV1 };
+export { convertAwsConfigToHdf, convertBurpsuiteToHdf, convertCheckovToHdf, convertCklToHdf, convertCklbToHdf, convertConveyorToHdf, convertCsafVexToHdf, convertCyclonedxToHdf, convertCyclonedxVexToHdf, convertDbprotectToHdf, convertDeptrackToHdf, convertFortifyToHdf, convertGitlabToHdf, convertGosecToHdf, convertGrypeToHdf, convertHdfToCkl, convertHdfToCklb, convertHdfToCsafVex, convertHdfToCsv, convertHdfToCyclonedxVex, convertHdfToOpenVex, convertHdfToOscalPoam, convertHdfToOscalSar, convertHdfToXccdf, convertHdfToXml, convertIonchannelToHdf, convertJfrogXrayToHdf, convertJunitToHdf, convertMsftDefenderCloudToHdf, convertMsftDefenderDevopsToHdf, convertMsftDefenderEndpointToHdf, convertMsftSecureScoreToHdf, convertNessusToHdf, convertNetsparkerToHdf, convertNeuvectorToHdf, convertNiktoToHdf, convertOpenVexToHdf, convertOscalCatalogToHdf, convertOscalComponentToHdf, convertOscalPoamToHdf, convertOscalProfileToHdf, convertOscalSapToHdf, convertOscalSarToHdf, convertOscalSspToHdf, convertPrismaToHdf, convertSarifToHdf, convertScoutsuiteToHdf, convertSnykToHdf, convertSonarqubeToHdf, convertSplunkToHdf, convertTrufflehogToHdf, convertTwistlockToHdf, convertV1ToV2, convertVeracodeToHdf, convertXccdfResultsToHdf, convertZapToHdf, detectOscalDocumentType, isHDFV1 };
 
 //# sourceMappingURL=index.js.map